The buffer is too short to insert addresses when exploiting buffer overflow

Question

Newbie here. Sorry for what you about to read . I'm currently working on exploiting a binary on Ubuntu 18.04. Here is some information about the binary: Its checksec information using pwntools: Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) Its disassembled code: ./vulnprog: file format elf32-i386 Disassembly of section .init: 0804834c <_init>: 804834c: 53 push ebx 804834d: 83 ec 08 sub esp,0x8 8048350: e8 8b 00 00 00 call 80483e0 <__x86.get_pc_thunk.bx> 8048355: 81 c3 87 1c 00 00 add ebx,0x1c87 804835b: 8b 83 18 00 00 00 mov eax,DWORD PTR [ebx+0x18] 8048361: 85 c0 test eax,eax 8048363: 74 05 je 804836a <_init+0x1e> 8048365: e8 2e 00 00 00 call 8048398 <__gmon_start__@plt> 804836a: 83 c4 08 add esp,0x8 804836d: 5b pop ebx 804836e: c3 ret Disassembly of section .plt: 08048370 <.plt>: 8048370: ff 35 e0 9f 04 08 push DWORD PTR ds:0x8049fe0 8048376: ff 25 e4 9f 04 08 jmp DWORD PTR ds:0x8049fe4 804837c: 00 00 add BYTE PTR [eax],al ... Disassembly of section .plt.got: 08048380 : 8048380: ff 25 e8 9f 04 08 jmp DWORD PTR ds:0x8049fe8 8048386: 66 90 xchg ax,ax 08048388 <_exit@plt>: 8048388: ff 25 ec 9f 04 08 jmp DWORD PTR ds:0x8049fec 804838e: 66 90 xchg ax,ax 08048390 : 8048390: ff 25 f0 9f 04 08 jmp DWORD PTR ds:0x8049ff0 8048396: 66 90 xchg ax,ax 08048398 <__gmon_start__@plt>: 8048398: ff 25 f4 9f 04 08 jmp DWORD PTR ds:0x8049ff4 804839e: 66 90 xchg ax,ax 080483a0 <__libc_start_main@plt>: 80483a0: ff 25 f8 9f 04 08 jmp DWORD PTR ds:0x8049ff8 80483a6: 66 90 xchg ax,ax 080483a8 : 80483a8: ff 25 fc 9f 04 08 jmp DWORD PTR ds:0x8049ffc 80483ae: 66 90 xchg ax,ax Disassembly of section .text: 080483b0 <_start>: 80483b0: 31 ed xor ebp,ebp 80483b2: 5e pop esi 80483b3: 89 e1 mov ecx,esp 80483b5: 83 e4 f0 and esp,0xfffffff0 80483b8: 50 push eax 80483b9: 54 push esp 80483ba: 52 push edx 80483bb: 68 70 85 04 08 push 0x8048570 80483c0: 68 10 85 04 08 push 0x8048510 80483c5: 51 push ecx 80483c6: 56 push esi 80483c7: 68 ab 84 04 08 push 0x80484ab 80483cc: e8 cf ff ff ff call 80483a0 <__libc_start_main@plt> 80483d1: f4 hlt 80483d2: 66 90 xchg ax,ax 80483d4: 66 90 xchg ax,ax 80483d6: 66 90 xchg ax,ax 80483d8: 66 90 xchg ax,ax 80483da: 66 90 xchg ax,ax 80483dc: 66 90 xchg ax,ax 80483de: 66 90 xchg ax,ax 080483e0 <__x86.get_pc_thunk.bx>: 80483e0: 8b 1c 24 mov ebx,DWORD PTR [esp] 80483e3: c3 ret 80483e4: 66 90 xchg ax,ax 80483e6: 66 90 xchg ax,ax 80483e8: 66 90 xchg ax,ax 80483ea: 66 90 xchg ax,ax 80483ec: 66 90 xchg ax,ax 80483ee: 66 90 xchg ax,ax 080483f0 : 80483f0: b8 0f a0 04 08 mov eax,0x804a00f 80483f5: 2d 0c a0 04 08 sub eax,0x804a00c 80483fa: 83 f8 06 cmp eax,0x6 80483fd: 76 1a jbe 8048419 80483ff: b8 00 00 00 00 mov eax,0x0 8048404: 85 c0 test eax,eax 8048406: 74 11 je 8048419 8048408: 55 push ebp 8048409: 89 e5 mov ebp,esp 804840b: 83 ec 14 sub esp,0x14 804840e: 68 0c a0 04 08 push 0x804a00c 8048413: ff d0 call eax 8048415: 83 c4 10 add esp,0x10 8048418: c9 leave 8048419: f3 c3 repz ret 804841b: 90 nop 804841c: 8d 74 26 00 lea esi,[esi+eiz*1+0x0] 08048420 : 8048420: b8 0c a0 04 08 mov eax,0x804a00c 8048425: 2d 0c a0 04 08 sub eax,0x804a00c 804842a: c1 f8 02 sar eax,0x2 804842d: 89 c2 mov edx,eax 804842f: c1 ea 1f shr edx,0x1f 8048432: 01 d0 add eax,edx 8048434: d1 f8 sar eax,1 8048436: 74 1b je 8048453 8048438: ba 00 00 00 00 mov edx,0x0 804843d: 85 d2 test edx,edx 804843f: 74 12 je 8048453 8048441: 55 push ebp 8048442: 89 e5 mov ebp,esp 8048444: 83 ec 10 sub esp,0x10 8048447: 50 push eax 8048448: 68 0c a0 04 08 push 0x804a00c 804844d: ff d2 call edx 804844f: 83 c4 10 add esp,0x10 8048452: c9 leave 8048453: f3 c3 repz ret 8048455: 8d 74 26 00 lea esi,[esi+eiz*1+0x0] 8048459: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0] 08048460 <__do_global_dtors_aux>: 8048460: 80 3d 10 a0 04 08 00 cmp BYTE PTR ds:0x804a010,0x0 8048467: 75 13 jne 804847c <__do_global_dtors_aux+0x1c> 8048469: 55 push ebp 804846a: 89 e5 mov ebp,esp 804846c: 83 ec 08 sub esp,0x8 804846f: e8 7c ff ff ff call 80483f0 8048474: c6 05 10 a0 04 08 01 mov BYTE PTR ds:0x804a010,0x1 804847b: c9 leave 804847c: f3 c3 repz ret 804847e: 66 90 xchg ax,ax 08048480 : 8048480: b8 f8 9e 04 08 mov eax,0x8049ef8 8048485: 8b 10 mov edx,DWORD PTR [eax] 8048487: 85 d2 test edx,edx 8048489: 75 05 jne 8048490 804848b: eb 93 jmp 8048420 804848d: 8d 76 00 lea esi,[esi+0x0] 8048490: ba 00 00 00 00 mov edx,0x0 8048495: 85 d2 test edx,edx 8048497: 74 f2 je 804848b 8048499: 55 push ebp 804849a: 89 e5 mov ebp,esp 804849c: 83 ec 14 sub esp,0x14 804849f: 50 push eax 80484a0: ff d2 call edx 80484a2: 83 c4 10 add esp,0x10 80484a5: c9 leave 80484a6: e9 75 ff ff ff jmp 8048420 080484ab

: 80484ab: 55 push ebp 80484ac: 89 e5 mov ebp,esp 80484ae: 83 ec 28 sub esp,0x28 80484b1: a1 08 a0 04 08 mov eax,ds:0x804a008 80484b6: 3d 39 05 00 00 cmp eax,0x539 80484bb: 74 07 je 80484c4 80484bd: 6a 01 push 0x1 80484bf: e8 c4 fe ff ff call 8048388 <_exit@plt> 80484c4: a1 08 a0 04 08 mov eax,ds:0x804a008 80484c9: 83 c0 01 add eax,0x1 80484cc: a3 08 a0 04 08 mov ds:0x804a008,eax 80484d1: a1 0c a0 04 08 mov eax,ds:0x804a00c 80484d6: 6a 00 push 0x0 80484d8: 6a 02 push 0x2 80484da: 6a 00 push 0x0 80484dc: 50 push eax 80484dd: e8 c6 fe ff ff call 80483a8 80484e2: 83 c4 10 add esp,0x10 80484e5: 68 90 85 04 08 push 0x8048590 80484ea: e8 a1 fe ff ff call 8048390 80484ef: 83 c4 04 add esp,0x4 80484f2: 6a 40 push 0x40 80484f4: 8d 45 d8 lea eax,[ebp-0x28] 80484f7: 50 push eax 80484f8: 6a 00 push 0x0 80484fa: e8 81 fe ff ff call 8048380 80484ff: 83 c4 0c add esp,0xc 8048502: 90 nop 8048503: 90 nop 8048504: c9 leave 8048505: c3 ret 8048506: 66 90 xchg ax,ax 8048508: 66 90 xchg ax,ax 804850a: 66 90 xchg ax,ax 804850c: 66 90 xchg ax,ax 804850e: 66 90 xchg ax,ax 08048510 <__libc_csu_init>: 8048510: 55 push ebp 8048511: 57 push edi 8048512: 56 push esi 8048513: 53 push ebx 8048514: e8 c7 fe ff ff call 80483e0 <__x86.get_pc_thunk.bx> 8048519: 81 c3 c3 1a 00 00 add ebx,0x1ac3 804851f: 83 ec 0c sub esp,0xc 8048522: 8b 6c 24 20 mov ebp,DWORD PTR [esp+0x20] 8048526: 8d b3 18 ff ff ff lea esi,[ebx-0xe8] 804852c: e8 1b fe ff ff call 804834c <_init> 8048531: 8d 83 14 ff ff ff lea eax,[ebx-0xec] 8048537: 29 c6 sub esi,eax 8048539: c1 fe 02 sar esi,0x2 804853c: 85 f6 test esi,esi 804853e: 74 25 je 8048565 <__libc_csu_init+0x55> 8048540: 31 ff xor edi,edi 8048542: 8d b6 00 00 00 00 lea esi,[esi+0x0] 8048548: 83 ec 04 sub esp,0x4 804854b: ff 74 24 2c push DWORD PTR [esp+0x2c] 804854f: ff 74 24 2c push DWORD PTR [esp+0x2c] 8048553: 55 push ebp 8048554: ff 94 bb 14 ff ff ff call DWORD PTR [ebx+edi*4-0xec] 804855b: 83 c7 01 add edi,0x1 804855e: 83 c4 10 add esp,0x10 8048561: 39 f7 cmp edi,esi 8048563: 75 e3 jne 8048548 <__libc_csu_init+0x38> 8048565: 83 c4 0c add esp,0xc 8048568: 5b pop ebx 8048569: 5e pop esi 804856a: 5f pop edi 804856b: 5d pop ebp 804856c: c3 ret 804856d: 8d 76 00 lea esi,[esi+0x0] 08048570 <__libc_csu_fini>: 8048570: f3 c3 repz ret Disassembly of section .fini: 08048574 <_fini>: 8048574: 53 push ebx 8048575: 83 ec 08 sub esp,0x8 8048578: e8 63 fe ff ff call 80483e0 <__x86.get_pc_thunk.bx> 804857d: 81 c3 5f 1a 00 00 add ebx,0x1a5f 8048583: 83 c4 08 add esp,0x8 8048586: 5b pop ebx 8048587: c3 ret I can see that there is a buffer overflow that could be exploited inside main() function and I tried to exploit it using some of the techniques I know: execute code on stack, ret2libc, ropgadget but none of them worked. As you can see the NX is enabled, the binary is dynamically linked so there are only 79 ROPgadgets, and because of ASLR being turned on I cannot use retlibc. I tried ret2libc by crafting the input string so that it jumped to puts() function to print out the puts() address inside the memory in order to calculate the base of libc, after that I had to return to <_start> to inject the exploit string, with the address of system() function and '/bin/sh' string in memory. It could have been a ideal plan but you can see that at address 0x080484b6 in main the program compares eax, which is loaded with the value in 0x0804a008, to 0x539 to decide to continue. When I came back from puts() function after printing out the address of puts(), that value in 0x0804a008 had been increased by one, no longer be 0x539 so the program exited. To fix that, I tried jumping to _read() function after returning from puts() to edit the value hold by 0x0804a008 but another problem arose: The read() function only read 64 bytes into the buffer so the length for me to inject addresses was only 20 bytes. I'm getting stucked. I've been searching for days but haven't found any case that being close to mine. Can you give me some advices on how should I get this done?

multithr3at3d · Answer

I'm not sure how much of a spoiler you want, so I'll keep it fairly short for now.

The buffer is too short

Your main problem is somewhat a hint towards the solution. The logic is, if your buffer is too small, then make a new one that can fit your entire payload.

By this, I mean you need to set up a stack pivot. A stack pivot allows you to move the stack frame somewhere else where there is more room, where you'll set up your full ROP chain(s). You can pivot to somewhere else on the stack, the heap, or even in the executable's read-write sections. A good choice for this is often the executable's .data or .bss segment, but find an offset within where nothing critical is overwritten.

In many cases, this can be achieved using a gadget that manipulates the stack pointer (e.g. pop esp, sub esp, 0x28, mov esp, edi etc.). However, in this particular program, there's an instruction that is already used that can serve as a gadget for this.

You'll also need to write to your new stack location. The program already has a function imported that you can use for this. Then, use the pieces you already figured out (libc leak, call system, etc.) can be put in place to complete the challenge.

The buffer is too short to insert addresses when exploiting buffer overflow

One Answer

Add your own answers!

Ask a Question