Buffer Overflow using GDB
https://www.gnu.org/software/gdb/
In the assignment, we were provided a binary file that had to be analyzed with GDB. The binary would be analyzed to look for a vulnerability that could be used to exploit the code to unlock the "HIDDEN" function. Below is an overview of the process..
The First step in this process was to launch GDB against the binary file and examine the functions. As you can see below, we probably want to examine main and tellAFunnyJoke. To be honest I did examine the frame dummy just to make sure It wasn’t what we needed.
I then examined the main function to see what was going on. A few things popped out. One was that “cafebabe” was being pushed to the stack and then the next instruction was calling the function "tellAFunnyJoke"
Next it was time to examine the “tellAFunnyJoke” function.
You notice in the first half of this function that there is a “gets” call at memory location 0x080484d9. We know that the “gets” call in c program is exploitable. So, we throw a break point at the memory address after the gets call as well as the in main function
Using the instructors example from class, I started the application in GDB with my break points.
Now I wanted to examine where the base pointer is at the gets function as well as examine our registers. EBP is located at F698.
Some interesting things are found while examining the registers. I locate my 4 “AAAA” and then locate the EBP down at the bottom. Another thing you can see is the “cafebabe” that was pushed onto the stack. If you count up the bytes, you get 153 bytes that it would take to overfill this buffer.
Stepping through the application and following what is going on you can see that instruction 080484e1 processes a compare between the base pointer and cafebabe then continues. Tracking this, the application skips the jne command after the compare and the application terminates as expected.
So now we see that we need 153 bytes of data to over flow the buffer. Running the application again by overflowing the buffer with data gives us a little different result.
Take note that in the register buffer has been overflowed by 153 “A’s”. You can still see the cafebabe that was pushed, but you notice that I added in an extra byte to manipulate the compare between the EBP and cafebabe.
You can see that stepping through instructions, the program successfully passes the compare statement and jumps to a new memory address 0x08048526 which now has another compare of the base pointer but with “deadbeef”. Continuing to step through, you realize this next compare statement doesn’t pass and the application continues its normal flow. This time a new error message is displayed.
Now we are close. Examining the compare at the address 0x08048526 we see that we no longer need cafebabe, but that the compare is looking for deadbeef to jump to a new instruction.
So using the python code example tested out in class, the exploit needed is to inject 153 bytes of data with deadbeef to pass the compare statement at address 0x08048526. In doing so we have success and achieve the assignment result.
Exploit Code
python -c "print('A'*153 + '\xef\xbe\xad\xde')" | ./tellMeAJoke
Thanks for reading!!!
Comments
Post a Comment