Buffer Overflow Examples, Overwriting a function pointer - protostar stack3

Introduction

Hey I’m back again with another article , today I’m going to solve protostar stack3 but this time it’s going to be a bit different , In the last two articles I solved stack0 , stack1 and stack2 and I used the source code of the binaries to identify where the buffer overflow happens and what exploit to use. Now with stack3 we are given the source code but We are not going to use it, Instead of that we will use some practical techniques to solve this challenge. Because in a real situation we won’t have the source of the program right ? Let’s see



If you haven’t read my previous articles about buffer overflow I recommend reading them first

Let’s first look at the program and see what does it do.

./stack3



We don’t see any output so we should give it an argument. We need to confirm that the program is vulnerable to a buffer overflow so we can pass an argument of 100 chars and see what happens

python -c "print 'A' * 100" | ./stack3



And we see a segfault which confirms that a buffer overflow happened , we also see this line : “calling function pointer , jumping to 0x41414141”

So now we have an idea about what’s happening here, There’s a function pointer that executes a function based on the given memory address of that function. That memory address is stored in a variable and we can overwrite that variable when we exceed the buffer. We see that the function pointer was calling the address 0x41414141 and 0x41 is the hex of “A”. Now we have to do two things. The first thing is to know where the buffer overflow happens, Because here we have given the program an argument of 100 chars but we don’t know exactly the size of the buffer. The second thing is to find the memory address of the function that we need to execute. Let’s see how to do that.

Finding the size of the buffer

To make things easier I compiled the program on my kali box to start testing there.

Metasploit has two scripts called pattern_create and pattern_offset , you can find them on kali in /usr/share/metasploit-framework/tools/exploit

pattern_create creats a unique string of a defined length so we will create a pattern of 100 chars.

./pattern_create.rb -l 100



Now let’s run the program in gdb , I’m using gdb-peda

First we set a break point in main .

break *main

This makes the program break after the first instruction of the function main()



Then we run the program.



It stops at the break point. We do c to make it continue then pass our argument



The segfault happens and we see where it happened: 0x63413163



Now we will use pattern_offset to know what is the location of 0x63413163

./pattern_offset -l 100 -q 63413163



And we get exact match at offset 64 , This means that the buffer size is 64 chars and after that the overflow happens.

Finding the memory address of the function

If we do info functions from gdb it will list all the functions and their memory addresses , we can also do that with objdump. But what is the function we’re looking for ?

info functions



We see a lot of functions but the most interesting one is called “win” , but the address on my kali box will be different from the address on the protostar machine. We will return to protostar and use objdump to find it.

objdump -d stack3





And we got the address 0x08048424

Applying the exploit

Now we can easily build our exploit , we know that the buffer is 64 chars after that we can pass the address of the function and the function pointer will execute it.

python -c "print 'A' * 64 + '\x24\x84\x04\x08'" | ./stack3



And we get the output “code flow changed successfully”

We solved it without the source , now let’s look at the source

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24











void win ()

{

printf ( "code flow successfully changed

" );

}



int main ( int argc, char **argv)

{

volatile int (*fp) () ;

char buffer [ 64 ];



fp = 0 ;



gets( buffer );



if (fp) {

printf ( "calling function pointer, jumping to 0x%08x

" , fp);

fp();

}

}



We see function win() is defined at the top then after that the function main() which defines the function pointer , sets a buffer of 64 chars to it , then sets its value to 0. After that it takes our argument and stores it in the buffer. The last thing is an if statement that checks if the function pointer value is changed from 0 then it calls the address of that new value.

That’s it , Feedback is appreciated !

Don’t forget to read the previous articles , Tweet about the article if you liked it , follow on twitter @Ahm3d_H3sham

Thanks for reading.

Previous Binary Exploitation article : Buffer Overflow Examples, Overwriting a variable value on the stack - Protostar Stack1 , Stack2

Next Binary Exploitation article : Buffer Overflow Examples, Taking control of the instruction pointer - protostar stack4