TransWikia.com

The buffer is too short to insert addresses when exploiting buffer overflow

Reverse Engineering Asked by Thành Vũ on June 3, 2021

Newbie here. Sorry for what you about to read .

I’m currently working on exploiting a binary on Ubuntu 18.04. Here is some information about the binary:

Its checksec information using pwntools:

Arch:     i386-32-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

Its disassembled code:

./vulnprog:     file format elf32-i386


Disassembly of section .init:

0804834c <_init>:
 804834c:   53                      push   ebx
 804834d:   83 ec 08                sub    esp,0x8
 8048350:   e8 8b 00 00 00          call   80483e0 <__x86.get_pc_thunk.bx>
 8048355:   81 c3 87 1c 00 00       add    ebx,0x1c87
 804835b:   8b 83 18 00 00 00       mov    eax,DWORD PTR [ebx+0x18]
 8048361:   85 c0                   test   eax,eax
 8048363:   74 05                   je     804836a <_init+0x1e>
 8048365:   e8 2e 00 00 00          call   8048398 <__gmon_start__@plt>
 804836a:   83 c4 08                add    esp,0x8
 804836d:   5b                      pop    ebx
 804836e:   c3                      ret    

Disassembly of section .plt:

08048370 <.plt>:
 8048370:   ff 35 e0 9f 04 08       push   DWORD PTR ds:0x8049fe0
 8048376:   ff 25 e4 9f 04 08       jmp    DWORD PTR ds:0x8049fe4
 804837c:   00 00                   add    BYTE PTR [eax],al
    ...

Disassembly of section .plt.got:

08048380 <read@plt>:
 8048380:   ff 25 e8 9f 04 08       jmp    DWORD PTR ds:0x8049fe8
 8048386:   66 90                   xchg   ax,ax

08048388 <_exit@plt>:
 8048388:   ff 25 ec 9f 04 08       jmp    DWORD PTR ds:0x8049fec
 804838e:   66 90                   xchg   ax,ax

08048390 <puts@plt>:
 8048390:   ff 25 f0 9f 04 08       jmp    DWORD PTR ds:0x8049ff0
 8048396:   66 90                   xchg   ax,ax

08048398 <__gmon_start__@plt>:
 8048398:   ff 25 f4 9f 04 08       jmp    DWORD PTR ds:0x8049ff4
 804839e:   66 90                   xchg   ax,ax

080483a0 <__libc_start_main@plt>:
 80483a0:   ff 25 f8 9f 04 08       jmp    DWORD PTR ds:0x8049ff8
 80483a6:   66 90                   xchg   ax,ax

080483a8 <setvbuf@plt>:
 80483a8:   ff 25 fc 9f 04 08       jmp    DWORD PTR ds:0x8049ffc
 80483ae:   66 90                   xchg   ax,ax

Disassembly of section .text:

080483b0 <_start>:
 80483b0:   31 ed                   xor    ebp,ebp
 80483b2:   5e                      pop    esi
 80483b3:   89 e1                   mov    ecx,esp
 80483b5:   83 e4 f0                and    esp,0xfffffff0
 80483b8:   50                      push   eax
 80483b9:   54                      push   esp
 80483ba:   52                      push   edx
 80483bb:   68 70 85 04 08          push   0x8048570
 80483c0:   68 10 85 04 08          push   0x8048510
 80483c5:   51                      push   ecx
 80483c6:   56                      push   esi
 80483c7:   68 ab 84 04 08          push   0x80484ab
 80483cc:   e8 cf ff ff ff          call   80483a0 <__libc_start_main@plt>
 80483d1:   f4                      hlt    
 80483d2:   66 90                   xchg   ax,ax
 80483d4:   66 90                   xchg   ax,ax
 80483d6:   66 90                   xchg   ax,ax
 80483d8:   66 90                   xchg   ax,ax
 80483da:   66 90                   xchg   ax,ax
 80483dc:   66 90                   xchg   ax,ax
 80483de:   66 90                   xchg   ax,ax

080483e0 <__x86.get_pc_thunk.bx>:
 80483e0:   8b 1c 24                mov    ebx,DWORD PTR [esp]
 80483e3:   c3                      ret    
 80483e4:   66 90                   xchg   ax,ax
 80483e6:   66 90                   xchg   ax,ax
 80483e8:   66 90                   xchg   ax,ax
 80483ea:   66 90                   xchg   ax,ax
 80483ec:   66 90                   xchg   ax,ax
 80483ee:   66 90                   xchg   ax,ax

080483f0 <deregister_tm_clones>:
 80483f0:   b8 0f a0 04 08          mov    eax,0x804a00f
 80483f5:   2d 0c a0 04 08          sub    eax,0x804a00c
 80483fa:   83 f8 06                cmp    eax,0x6
 80483fd:   76 1a                   jbe    8048419 <deregister_tm_clones+0x29>
 80483ff:   b8 00 00 00 00          mov    eax,0x0
 8048404:   85 c0                   test   eax,eax
 8048406:   74 11                   je     8048419 <deregister_tm_clones+0x29>
 8048408:   55                      push   ebp
 8048409:   89 e5                   mov    ebp,esp
 804840b:   83 ec 14                sub    esp,0x14
 804840e:   68 0c a0 04 08          push   0x804a00c
 8048413:   ff d0                   call   eax
 8048415:   83 c4 10                add    esp,0x10
 8048418:   c9                      leave  
 8048419:   f3 c3                   repz ret 
 804841b:   90                      nop
 804841c:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]

08048420 <register_tm_clones>:
 8048420:   b8 0c a0 04 08          mov    eax,0x804a00c
 8048425:   2d 0c a0 04 08          sub    eax,0x804a00c
 804842a:   c1 f8 02                sar    eax,0x2
 804842d:   89 c2                   mov    edx,eax
 804842f:   c1 ea 1f                shr    edx,0x1f
 8048432:   01 d0                   add    eax,edx
 8048434:   d1 f8                   sar    eax,1
 8048436:   74 1b                   je     8048453 <register_tm_clones+0x33>
 8048438:   ba 00 00 00 00          mov    edx,0x0
 804843d:   85 d2                   test   edx,edx
 804843f:   74 12                   je     8048453 <register_tm_clones+0x33>
 8048441:   55                      push   ebp
 8048442:   89 e5                   mov    ebp,esp
 8048444:   83 ec 10                sub    esp,0x10
 8048447:   50                      push   eax
 8048448:   68 0c a0 04 08          push   0x804a00c
 804844d:   ff d2                   call   edx
 804844f:   83 c4 10                add    esp,0x10
 8048452:   c9                      leave  
 8048453:   f3 c3                   repz ret 
 8048455:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]
 8048459:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]

08048460 <__do_global_dtors_aux>:
 8048460:   80 3d 10 a0 04 08 00    cmp    BYTE PTR ds:0x804a010,0x0
 8048467:   75 13                   jne    804847c <__do_global_dtors_aux+0x1c>
 8048469:   55                      push   ebp
 804846a:   89 e5                   mov    ebp,esp
 804846c:   83 ec 08                sub    esp,0x8
 804846f:   e8 7c ff ff ff          call   80483f0 <deregister_tm_clones>
 8048474:   c6 05 10 a0 04 08 01    mov    BYTE PTR ds:0x804a010,0x1
 804847b:   c9                      leave  
 804847c:   f3 c3                   repz ret 
 804847e:   66 90                   xchg   ax,ax

08048480 <frame_dummy>:
 8048480:   b8 f8 9e 04 08          mov    eax,0x8049ef8
 8048485:   8b 10                   mov    edx,DWORD PTR [eax]
 8048487:   85 d2                   test   edx,edx
 8048489:   75 05                   jne    8048490 <frame_dummy+0x10>
 804848b:   eb 93                   jmp    8048420 <register_tm_clones>
 804848d:   8d 76 00                lea    esi,[esi+0x0]
 8048490:   ba 00 00 00 00          mov    edx,0x0
 8048495:   85 d2                   test   edx,edx
 8048497:   74 f2                   je     804848b <frame_dummy+0xb>
 8048499:   55                      push   ebp
 804849a:   89 e5                   mov    ebp,esp
 804849c:   83 ec 14                sub    esp,0x14
 804849f:   50                      push   eax
 80484a0:   ff d2                   call   edx
 80484a2:   83 c4 10                add    esp,0x10
 80484a5:   c9                      leave  
 80484a6:   e9 75 ff ff ff          jmp    8048420 <register_tm_clones>

080484ab <main>:
 80484ab:   55                      push   ebp
 80484ac:   89 e5                   mov    ebp,esp
 80484ae:   83 ec 28                sub    esp,0x28
 80484b1:   a1 08 a0 04 08          mov    eax,ds:0x804a008
 80484b6:   3d 39 05 00 00          cmp    eax,0x539
 80484bb:   74 07                   je     80484c4 <main+0x19>
 80484bd:   6a 01                   push   0x1
 80484bf:   e8 c4 fe ff ff          call   8048388 <_exit@plt>
 80484c4:   a1 08 a0 04 08          mov    eax,ds:0x804a008
 80484c9:   83 c0 01                add    eax,0x1
 80484cc:   a3 08 a0 04 08          mov    ds:0x804a008,eax
 80484d1:   a1 0c a0 04 08          mov    eax,ds:0x804a00c
 80484d6:   6a 00                   push   0x0
 80484d8:   6a 02                   push   0x2
 80484da:   6a 00                   push   0x0
 80484dc:   50                      push   eax
 80484dd:   e8 c6 fe ff ff          call   80483a8 <setvbuf@plt>
 80484e2:   83 c4 10                add    esp,0x10
 80484e5:   68 90 85 04 08          push   0x8048590
 80484ea:   e8 a1 fe ff ff          call   8048390 <puts@plt>
 80484ef:   83 c4 04                add    esp,0x4
 80484f2:   6a 40                   push   0x40
 80484f4:   8d 45 d8                lea    eax,[ebp-0x28]
 80484f7:   50                      push   eax
 80484f8:   6a 00                   push   0x0
 80484fa:   e8 81 fe ff ff          call   8048380 <read@plt>
 80484ff:   83 c4 0c                add    esp,0xc
 8048502:   90                      nop
 8048503:   90                      nop
 8048504:   c9                      leave  
 8048505:   c3                      ret    
 8048506:   66 90                   xchg   ax,ax
 8048508:   66 90                   xchg   ax,ax
 804850a:   66 90                   xchg   ax,ax
 804850c:   66 90                   xchg   ax,ax
 804850e:   66 90                   xchg   ax,ax

08048510 <__libc_csu_init>:
 8048510:   55                      push   ebp
 8048511:   57                      push   edi
 8048512:   56                      push   esi
 8048513:   53                      push   ebx
 8048514:   e8 c7 fe ff ff          call   80483e0 <__x86.get_pc_thunk.bx>
 8048519:   81 c3 c3 1a 00 00       add    ebx,0x1ac3
 804851f:   83 ec 0c                sub    esp,0xc
 8048522:   8b 6c 24 20             mov    ebp,DWORD PTR [esp+0x20]
 8048526:   8d b3 18 ff ff ff       lea    esi,[ebx-0xe8]
 804852c:   e8 1b fe ff ff          call   804834c <_init>
 8048531:   8d 83 14 ff ff ff       lea    eax,[ebx-0xec]
 8048537:   29 c6                   sub    esi,eax
 8048539:   c1 fe 02                sar    esi,0x2
 804853c:   85 f6                   test   esi,esi
 804853e:   74 25                   je     8048565 <__libc_csu_init+0x55>
 8048540:   31 ff                   xor    edi,edi
 8048542:   8d b6 00 00 00 00       lea    esi,[esi+0x0]
 8048548:   83 ec 04                sub    esp,0x4
 804854b:   ff 74 24 2c             push   DWORD PTR [esp+0x2c]
 804854f:   ff 74 24 2c             push   DWORD PTR [esp+0x2c]
 8048553:   55                      push   ebp
 8048554:   ff 94 bb 14 ff ff ff    call   DWORD PTR [ebx+edi*4-0xec]
 804855b:   83 c7 01                add    edi,0x1
 804855e:   83 c4 10                add    esp,0x10
 8048561:   39 f7                   cmp    edi,esi
 8048563:   75 e3                   jne    8048548 <__libc_csu_init+0x38>
 8048565:   83 c4 0c                add    esp,0xc
 8048568:   5b                      pop    ebx
 8048569:   5e                      pop    esi
 804856a:   5f                      pop    edi
 804856b:   5d                      pop    ebp
 804856c:   c3                      ret    
 804856d:   8d 76 00                lea    esi,[esi+0x0]

08048570 <__libc_csu_fini>:
 8048570:   f3 c3                   repz ret 

Disassembly of section .fini:

08048574 <_fini>:
 8048574:   53                      push   ebx
 8048575:   83 ec 08                sub    esp,0x8
 8048578:   e8 63 fe ff ff          call   80483e0 <__x86.get_pc_thunk.bx>
 804857d:   81 c3 5f 1a 00 00       add    ebx,0x1a5f
 8048583:   83 c4 08                add    esp,0x8
 8048586:   5b                      pop    ebx
 8048587:   c3                      ret    

I can see that there is a buffer overflow that could be exploited inside main() function and I tried to exploit it using some of the techniques I know: execute code on stack, ret2libc, ropgadget but none of them worked. As you can see the NX is enabled, the binary is dynamically linked so there are only 79 ROPgadgets, and because of ASLR being turned on I cannot use retlibc.

I tried ret2libc by crafting the input string so that it jumped to puts() function to print out the puts() address inside the memory in order to calculate the base of libc, after that I had to return to <_start> to inject the exploit string, with the address of system() function and ‘/bin/sh’ string in memory.

It could have been a ideal plan but you can see that at address 0x080484b6 in main the program compares eax, which is loaded with the value in 0x0804a008, to 0x539 to decide to continue. When I came back from puts() function after printing out the address of puts(), that value in 0x0804a008 had been increased by one, no longer be 0x539 so the program exited.

To fix that, I tried jumping to _read() function after returning from puts() to edit the value hold by 0x0804a008 but another problem arose: The read() function only read 64 bytes into the buffer so the length for me to inject addresses was only 20 bytes.

I’m getting stucked. I’ve been searching for days but haven’t found any case that being close to mine. Can you give me some advices on how should I get this done?

One Answer

I'm not sure how much of a spoiler you want, so I'll keep it fairly short for now.

The buffer is too short

Your main problem is somewhat a hint towards the solution. The logic is, if your buffer is too small, then make a new one that can fit your entire payload.

By this, I mean you need to set up a stack pivot. A stack pivot allows you to move the stack frame somewhere else where there is more room, where you'll set up your full ROP chain(s). You can pivot to somewhere else on the stack, the heap, or even in the executable's read-write sections. A good choice for this is often the executable's .data or .bss segment, but find an offset within where nothing critical is overwritten.

In many cases, this can be achieved using a gadget that manipulates the stack pointer (e.g. pop esp, sub esp, 0x28, mov esp, edi etc.). However, in this particular program, there's an instruction that is already used that can serve as a gadget for this.

You'll also need to write to your new stack location. The program already has a function imported that you can use for this. Then, use the pieces you already figured out (libc leak, call system, etc.) can be put in place to complete the challenge.

Answered by multithr3at3d on June 3, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP