Still having trouble determining what is needed to insert the memory address of smoke(). Could use some direction on this.... :(
Main Topics
Browse All TopicsStarting this Buffer Overflow assignment and I'm not really sure how to proceed. Figure I could just use a kick in the right direction. Here is what I've been given:
Also I tried stepping through the code from the very beginning but I kept getting this error
(gdb) s
Single stepping until exit from function __libc_start_main,
which has no line number information.
Warning:
Cannot insert breakpoint 4.
Error accessing memory address 0x19: Input/output error.
I'm not sure what it means.
I know that I need to inject a string somewhere but I don't really understand how to do this or even figure out what the string needs to be....Any Help would be great. Thanks.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
The assignment very clearly describes what it is you need to do.
But let's see :
>> Your task is to get bufbomb to execute the code for smoke() when getbuf() executes its return statement, rather than returning to test().
How does the code decide where to return to at the end of the function ?
How can you influence that decision ?
I can't figure out where on the stack I would need to have the call to smoke() overflow onto. I know it's right before getbuf() returns to test but I can't figure out how to take the memory address of smoke and then enter the correct number of bytes to overflow. Am I entering hex numbers followed by the memory location 0x08048d90 for smoke()? And it looks like I would need to insert it at 0x24 on the stack no? I feel like I'm missing something....
>> Would it be best to just set a breakpoint at the beginning of the program at main and then just use step from there? Or would it be better to set a break point at test() and step from there?
Depends how much stepping you want to do, as well as how deep down you want to observe the changes to the stack.
>> The backtrace command I found to look at the stack isn't really provding me with any information at all.
The backtrace only lists the different stack frames currently on the stack. What you want to know is the actual stack layout - ie. all the data on the stack, including function parameters, return addresses and local variables.
%esp is a register. You can display its contents simply by :
print $sp
or :
p/x $sp
or as you say by using 'info registers'.
Furthermore, you can get a single 32bit value (shown in hexadecimal) at the top of the stack using :
x/1xw $sp
('1' is the amount of values you want to see, 'x' is the format which is hexadecimal in this case, and 'w' says we want to see words or 32-bit values)
or if you want to see more from the top of the stack, eg. 4 :
x/4xw $sp
Refer to the gdb documentation for more information, and more options :
http://sourceware.org/gdb/
I'm still not sure what I need to be looking for in the registers, or how to even tell how many bytes I would need to overflow by. It looks like the call to smoke() would be injected into eax here?
0x08048f51 <getbuf+17>: mov $0x1,%eax
I mean I understand the buffer overflow concept that I need to insert x amount of characters followed by the memory location of smoke(). I don't know where to go from there though and stepping through the program isn't helping me because I'm no sure what I need to be watching for.
>> I'm still not sure what I need to be looking for in the registers
The only register you need now is the esp register ... the register that points to the top of the stack.
Starting from that address, you can analyze the contents of the stack, and see if you can locate the buffer, return address, etc.
I suggest, you step through the code in the debugger, and at each step you look at the stack contents (the way I showed earlier), and you notice the differences.
>> How would I tell where on the stack esp is pointing at on the stack when I reach the return in getbuf()?
esp is ALWAYS pointing to the top of the stack.
Just step through the code, and at every step, take note of the stack contents ... See what changes, and draw your conclusions from that.
You do know what the stack is, do you ?
http://en.wikipedia.org/wi
>> how do I know what register the return value is stored?
Are you talking about the return address ? If so, that is not stored in a register - it is stored on the stack (one for each stack frame).
Or are you talking about the function return value. If so, that depends on the calling convention used, and the kind of data returned, but you can usually find it in the eax register. It's not relevant to what you need to do though.
You can cross-reference between the stack contents you get from the x/nfu's, and the output of the 'frame' and 'info frame x' (where x is the frame number) gdb functions. Just match the values from the frames with the stack memory dump.
For an idea of the layout of the stack, refer back to the wiki I posted earlier :
http://en.wikipedia.org/wi
Okay so I've been looking over this stuff and here is what I think things are correct me if I'm wrong.
(gdb) info frame
Stack level 0, frame at 0xbfffb430:
eip = 0x8048f57 in getbuf; saved eip 0x8049056
called by frame at 0xbfffea00
Arglist at 0xbfffb428, args:
Locals at 0xbfffb428, Previous frame's sp is 0xbfffb430
Saved registers:
ebp at 0xbfffb428, eip at 0xbfffb42c
(gdb) frame 0
>>Locals at 0xbfffb428
Local variables stored here?
>> Saved registers:
>> ebp at 0xbfffb428, eip at 0xbfffb42c
Return address is ebp?
Assuming I am correct I still do not understand how I would determine the string in which I would have to enter to cause the overflow to where the return address is stored and replace it with smoke()'s address. I know it needs to be x amount of bytes but how would I determine that? I figured out I can get byte infomration using the x/4b address command but I'm not sure what to do with it to get the answer...help? lol
>> >>Locals at 0xbfffb428
>> Local variables stored here?
Yes, they are inside the stack frame.
>> >> Saved registers:
>> >> ebp at 0xbfffb428, eip at 0xbfffb42c
>> Return address is ebp?
ebp is the base pointer. This saved value points to the previous stack frame.
The return address is pushed on the stack by the 'call' instruction. With gdb, you can see what happens when stepping over that instruction.
>> I know it needs to be x amount of bytes but how would I determine that?
By looking on the stack, how far your buffer is from the return address.
So looking from the call to getbuf from test would tell me where on the stack return is initially located? Is return stored as a register or memory address on the stack? I'm not sure what return would look like on the stack or what it would be under when I use info frame. I know where conceptually it is on the stack from your link http://en.wikipedia.org/wi
>> So looking from the call to getbuf from test would tell me where on the stack return is initially located?
If you run the code in gdb, and look at the difference of the stack contents before and after the call getbuf instruction, you'll see where the return address is saved, and what it is.
>> Is return stored as a register or memory address on the stack?
You can't store a register on the stack, only values. What you're looking for is an address.
>> I'm not sure what return would look like on the stack or what it would be under when I use info frame.
Don't use info frame - use the x command instead to show the complete and precise contents of the stack.
I must not be utilizing the x command in the correct way then. Should I not be using it like this?
x/4b address
or
x/4xw address
Depending on which I use I get 4 byte numbers or what looks like 4 hexadecimal addresses. Neither of which look to me like the stack. Is using the x command only going to show me part of the stack? Or should I be able to see the entire stack using it?
Okay maybe this will help if you can explain what I'm looking at when I use this command and given this example:
gdb) x/4xw 0x08048f79
0x8048f79 <test+25>: 0xffffc2e8 0x8bc289ff 0xef3dfc45 0x74deadbe
what exactly am I looking at here? It looks like the 4th one has had an overflow of what contained dead beef. Other then that I don't get what I'm looking at.
>> Neither of which look to me like the stack.
What should the stack look like then ?
The stack is just a region in memory that contains data. You can display the contents of the stack by displaying those data values from that region of memory.
>> Is using the x command only going to show me part of the stack?
The x command is used to examine the value at a certain memory address. If you use a memory address that is inside the stack, then you'll show a value that is on the stack.
>> gdb) x/4xw 0x08048f79
>> 0x8048f79 <test+25>: 0xffffc2e8 0x8bc289ff 0xef3dfc45 0x74deadbe
First of all, get aligned 32 bit values, ie. use addresses that are a multiple of 4 (0x08048f8 eg.).
Second, use an address that is inside the stack (like the stack pointer for example). You'll start seeing some familiar values.
How do I know if it's on the stack then? The address that is. I feel like my problem is not being able to recognize the stack and stuff in it when I see it. I understand what it looks like in diagrams and figures and what not but translating that into what it looks like through code/debugger or whatever isn't clicking. Do you have any examples or something I just need some kind of idea on what I'm looking for looks like.
>> How do I know if it's on the stack then? The address that is.
As I said (http:#25709275 for example) : use the stack pointer (esp).
x/4xw $sp
for example shows the 4 32bit values at the top of the stack.
Okay I THINK I've got atleast the location to which I need to overflow to. Is the locatin of 0xdeadbeef where I need to insert the address for smoke?
gdb) x/32xw $sp
0xbfffb40c: 0x08048f7e 0x00000003 0x008584c0 0x08049983
0xbfffb41c: 0xbfffb434 0xbfffb434 0xdeadbeef 0xbfffe9f8
0xbfffb42c: 0x08049056 0x08049983 0x000000f4 0x00003560
0xbfffb43c: 0x00000000 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
0xbfffb44c: 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
0xbfffb45c: 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
0xbfffb46c: 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
0xbfffb47c: 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
(gdb)
EDIT: I don't know what happened to the text I just posted here it is again.
Your exploit strings will typically contain byte values that do not correspond to the ASCII values for printing characters. The program sendstring can help you generate these raw strings. It takes as input a hex-formatted string. In this format, each byte value is represented by two hex digits. For example, the string 012345 could be entered in hex format as 30 31 32 33 34 35. (Recall that the ASCII code for decimal digit x is 0x3x.) Non-hex digit characters are ignored, including the blanks in the example shown.
Never mind about deadbeef being the return address. The first thing pushed onto the stack once a function is called is the return address correcT? If so then:
Breakpoint 1, 0x08048f79 in test ()
(gdb) x/32xw $sp
0xbfffb410: 0x00000003 0x008584c0 0x08049983 0xbfffb434
0xbfffb420: 0xbfffb434 0xdeadbeef 0xbfffe9f8 0x08049056
0xbfffb430: 0x08049983 0x000000f4 0x00003560 0x00000000
is what the stack looks like before the call to getbuf and
0xbfffb40c: 0x08048f7e 0x00000003 0x008584c0 0x08049983
0xbfffb41c: 0xbfffb434 0xbfffb434 0xdeadbeef 0xbfffe9f8
0xbfffb42c: 0x08049056 0x08049983 0x000000f4 0x00003560
0xbfffb43c: 0x00000000
is what the stack looks like once getbuf is entered and the first thing to change is a push of 0x08048f7e onto the top of the stack which should be the return address! Right? Hope so. If it is where do I go from here....
>> Is the locatin of 0xdeadbeef where I need to insert the address for smoke?
You'll notice that 0xdeadbeef is a local variable in the test function.
If you look at the start of the test function, you see :
>> 0x08048f60 <test+0>: push %ebp
the previous base pointer (ebp) is pushed onto the stack.
>> 0x08048f61 <test+1>: mov %esp,%ebp
Doesn't impact the stack.
>> 0x08048f63 <test+3>: sub $0x18,%esp
adds room for 6 local 32bit values onto the stack.
>> 0x08048f66 <test+6>: movl $0xdeadbeef,0xfffffffc(%eb
places the value 0xdeadbeef in the first one of those 6 32bit values.
So, you should have this on the stack (stack growing up) :
local variable : ???
local variable : ???
local variable : ???
local variable : ???
local variable : ???
local variable : 0xdeadbeef
saved ebp
return address
...
Can you see what's what now ?
>> Never mind about deadbeef being the return address. The first thing pushed onto the stack once a function is called is the return address correcT?
That's right. The moment of the call instruction, the return address is pushed on the stack, and then the instructions of the function are executed one by one.
>> is what the stack looks like once getbuf is entered and the first thing to change is a push of 0x08048f7e onto the top of the stack which should be the return address! Right?
That's correct. You'll notice that 0x08048f7e is the address of the instruction right after the call getbuf instruction :
>> 0x08048f79 <test+25>: call 0x8048f40 <getbuf>
>> 0x08048f7e <test+30>: mov %eax,%edx
>> If it is where do I go from here....
Now, you have to find where the buffer is placed on the stack. Once you have its location, you know how far you have to overflow the buffer to overwrite the return address.
>> and to find where the buffer is at i should step through the code to the return in getbuf?
You should step through the code to where the buffer is used.
getbuf calls Gets internally, which takes a string as input from the user, and places it at the address 0xfffffff4(%ebp), since that's what's being passed as parameter to Gets.
Okay so the string I entered was test and here is what I have. It seems the string was entered after 0x0804a108 and I need smoke() to be at 0x08048f7e. How do I determine what I need to enter from this? Do I need to convert the four addresses to bytes and pass the bytes as the string?
(gdb) x/32xw $sp
0xbfffb3f0: 0xbfffb3fc 0x00000000 0x0804a108 0xbfffb434
0xbfffb400: 0x00857ff4 0x00000003 0xbfffb428 0x08048f7e
0xbfffb410: 0x00000003 0x008584c0 0x08049983 0xbfffb434
0xbfffb420: 0xbfffb434 0xdeadbeef 0xbfffe9f8 0x08049056
0xbfffb430: 0x08049983 0x000000f4 0x00003560 0x00000000
0xbfffb440: 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
0xbfffb450: 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
0xbfffb460: 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
(gdb) c
Continuing.
Type string:test
Breakpoint 2, 0x08048f51 in getbuf ()
(gdb) x/32xw $sp
0xbfffb3f0: 0xbfffb3fc 0x00000000 0x0804a108 0x74736574
0xbfffb400: 0x00857f00 0x00000003 0xbfffb428 0x08048f7e
0xbfffb410: 0x00000003 0x008584c0 0x08049983 0xbfffb434
0xbfffb420: 0xbfffb434 0xdeadbeef 0xbfffe9f8 0x08049056
0xbfffb430: 0x08049983 0x000000f4 0x00003560 0x00000000
0xbfffb440: 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
0xbfffb450: 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
0xbfffb460: 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4 0xf4f4f4f4
(gdb)
okay I tried the x/32b command to get the numbers to match against the chart but I have a couple extra lines...what are they used for?
(gdb) x/32b $sp
0xbfffb3f0: 0xfc 0xb3 0xff 0xbf 0x00 0x00 0x00 0x00
0xbfffb3f8: 0x08 0xa1 0x04 0x08 0x34 0xb4 0xff 0xbf
0xbfffb400: 0xf4 0x7f 0x85 0x00 0x03 0x00 0x00 0x00
0xbfffb408: 0x28 0xb4 0xff 0xbf 0x7e 0x8f 0x04 0x08
(gdb)
Any chance you would care to help me out with phase 1 I've started another question here:
http://www.experts-exchang
Business Accounts
Answer for Membership
by: purewinPosted on 2009-10-31 at 00:47:53ID: 25708809
Okay so I've figured out that I need to overflow the buffer of 15 characters and then add the address of smoke() at the end correct?
I can't seem to figure out how to get it to work though I keep getting a segmentation fault. Not sure what that means either. Any thoughts?