DEVHIDE
Login Or Sign up

C Buffer Overflow - Receive string from TCP to Overflow the Buffer

322 Views Asked by At

I am trying to do a little exercise where I have an application that opens at a port, people can connect to it either with Telnet or Ncat, and they send a string that will overflow a buffer with the strcpy function. At the moment, the application runs and serves at the port that I want and I can send information without any problem. The problem happens when I try to overflow the EIP with the string, it just doesn't happen.

I won't post the whole code because it is really really big, I will put only the relevant part:

do {

    iResult = recv(ClientSocket, recvbuf, recvbuflen, 0);
    if (iResult > 0) {
        printf("Bytes received: %d\n", iResult);

        char buffer[250];

        strcpy(buffer, recvbuf);

    }
    else if (iResult == 0)
        printf("Connection closing...\n");
    else {
        printf("recv failed with error: %d\n", WSAGetLastError());
        closesocket(ClientSocket);
        WSACleanup();
        return 1;
    }

} while (iResult > 0);

As you can see, I receive the iResult, check if it is bigger than zero and then I transfer the recvbuf, which is the string that I've received into the buffer in order to overflow it. I have this solution working and overflowing the buffer in code that doesn't have this TCP logic, however, it doesn't overflow the EIP when I have the same logic with the TCP.

To compile my code into an executable I am using:

i686-w64-mingw32-gcc -o test.exe program.c -lws2_32 -fno-stack-protector

which removes the stack protection and I did this sudo echo 0 > /proc/sys/kernel/randomize_va_space to remove ASLR.

I assume that I am doing something wrong with TCP, and I am not able to overflow the buffer, let alone the EIP.

Do you guys have any idea why I can't overflow the Buffer with the TCP Solution?

c buffer-overflow aslr eip
Original Q&A
1

There are 1 best solutions below

0
On

I solved the problem, and now I know why it didn't overflow.

In order to overflow, the overflow happens when a function is finished and fetches the stored (but overwritten) return address to go back to main, in this case. It is the easiest way to reproduce a Buffer Overflow.

I changed the code to have this.

 void vuln(char* arg) {
        char buffer[500];
        strcpy(buffer, arg);
    }

And then I call It here:

 do {

        iResult = recv(ClientSocket, recvbuf, recvbuflen, 0);
        if (iResult > 0) {
            printf("Bytes received: %d\n", iResult);

            vuln(recvbuf);

        }
        else if (iResult == 0)
            printf("Connection closing...\n");
        else {
            printf("recv failed with error: %d\n", WSAGetLastError());
            closesocket(ClientSocket);
            WSACleanup();
            return 1;
        }

    } while (iResult > 0);

Actually found the solution here: https://security.stackexchange.com/questions/166279/cannot-overwrite-eip-in-basic-exploitation-example

Related Questions in C

Related Questions in BUFFER-OVERFLOW

Related Questions in ASLR

Related Questions in EIP

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.