in these days I'm studying the buffer overflow technique and I'm trying to make a simple example on my own in order to better understand how to exploit such a vulnerability.
I've wrote this simple c program :
//bof.c
#include <stdio.h>
#include <string.h>
void
BOF() {
printf("BOF");
}
void
foo1(char* argv){
char buff[10];
strcpy(buff, argv);
printf("foo1");
}
int
main(int argc, char* argv[])
{
if ( argc < 1 ) {
return 0;
}
foo1(argv[1]);
return 0;
}
My goal here is to leverage the BOF vulnerability, in order to jump to the uncalled function BOF(), printing thus the message. In order to do so I have:
- compiled the program: gcc -ggdb -m64 -o bof.o -fno-stack-protector -mpreferred-stack-boundary=4 bof.c
- discovered the BOF() address: objdump -d bof.o | grep BOF (which gives me 0000000000400544)
- executed the program within gdb in order to see what happen in the registers
Inside gdb I do:
r perl -e 'print "\x44\x05\x40\x00\x00\x00\x00\x00" x1500', but nothing happens. The program ends normally. So I put a breakpoint immediately after the strcpy function in order to look at the register, and what I receive is:
rax 0x7ffffffeca20 140737488276000
rbx 0x0 0
rcx 0x7ffff7ab1f00 140737348574976
rdx 0x400544 4195652
rsi 0x7fffffffb8cd 140737488337101
rdi 0x7ffffffeca20 140737488276000
rbp 0x7ffffffeca30 0x7ffffffeca30
rsp 0x7ffffffeca10 0x7ffffffeca10
r8 0x400660 4195936
r9 0x7ffff7de9740 140737351948096
r10 0x7ffffffec7a0 140737488275360
r11 0x7ffff7b8fec0 140737349484224
r12 0x400460 4195424
r13 0x7ffffffecb30 140737488276272
r14 0x0 0
r15 0x0 0
rip 0x40057b 0x40057b <foo1+31>
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
Why the registers are not being overwritten? I tried to change the 1500 parameter in a more big value, but nothing changed. I also tried with little values (like 50 or less), but I got the same result.
I also tried to write in the stack something different than an address, just to see whether the register were being overwritten or not. For example with perl -e 'print "A" x1500', I was able only to modify the rbp register and not the rip. But I found by reading a thread on this site, that on gdb this may happen, and to try with a valid address. So I did.
What I'm doing wrong? Is it possible that BOF is not more feasible in nowadays kernels?
Before I forget: I also removed the gdb limit elements in order to remove the elements limit, with: set print elements 0
Finally, like have you maybe figured out looking at the registers, I have a 64 bit machine with ubuntu 12.04 (kernel version 3.5.0-39-generic).
Thanks in advance.
There are security in the kernet that avoid basic buffer overflow.
You can try damn vulnerable linux to pratice buffer overflow
Or you can disable these protections on your pc look at that