I am trying to do a little exercise where I have an application that opens at a port, people can connect to it either with Telnet or Ncat, and they send a string that will overflow a buffer with the strcpy function. At the moment, the application runs and serves at the port that I want and I can send information without any problem. The problem happens when I try to overflow the EIP with the string, it just doesn't happen.
I won't post the whole code because it is really really big, I will put only the relevant part:
do {
iResult = recv(ClientSocket, recvbuf, recvbuflen, 0);
if (iResult > 0) {
printf("Bytes received: %d\n", iResult);
char buffer[250];
strcpy(buffer, recvbuf);
}
else if (iResult == 0)
printf("Connection closing...\n");
else {
printf("recv failed with error: %d\n", WSAGetLastError());
closesocket(ClientSocket);
WSACleanup();
return 1;
}
} while (iResult > 0);
As you can see, I receive the iResult, check if it is bigger than zero and then I transfer the recvbuf, which is the string that I've received into the buffer in order to overflow it. I have this solution working and overflowing the buffer in code that doesn't have this TCP logic, however, it doesn't overflow the EIP when I have the same logic with the TCP.
To compile my code into an executable I am using:
i686-w64-mingw32-gcc -o test.exe program.c -lws2_32 -fno-stack-protector
which removes the stack protection and I did this sudo echo 0 > /proc/sys/kernel/randomize_va_space
to remove ASLR.
I assume that I am doing something wrong with TCP, and I am not able to overflow the buffer, let alone the EIP.
Do you guys have any idea why I can't overflow the Buffer with the TCP Solution?
I solved the problem, and now I know why it didn't overflow.
In order to overflow, the overflow happens when a function is finished and fetches the stored (but overwritten) return address to go back to main, in this case. It is the easiest way to reproduce a Buffer Overflow.
I changed the code to have this.
And then I call It here:
Actually found the solution here: https://security.stackexchange.com/questions/166279/cannot-overwrite-eip-in-basic-exploitation-example