manipulating return address

Question

zoner7 22 Junior Poster

15 Years Ago

I'm currently taking a computer security class. The thing is, I haven't even taken an intro computer programming course. I taught myself a good deal of C++ back this summer, but I hardly know as much as the other students in the class.

we were asked to manipulate the following code so that the program returns x as 0 instead of 1.

So I need to manipulate the function in such a way that I alter the return address. I want to skip the x=1 step and, instead, go straight to the printf("%d\n", x)

void function(char *source) {
/* add stuff here  Note: do not use a buffer overflow*/
}
void main(){
int x;
x=0;
function("...")
x=1;
printf("%d\n",x);
}

Note: I am not looking for straight answers. I would like some guidance on where to start. I know that this is a pointer exercise.

c

3 Contributors
6 Replies
791 Views
1 Day Discussion Span
Latest Post 15 Years Ago Latest Post by zoner7

me_ansh 0 Light Poster

15 Years Ago

int function(char *source) {
/* add stuff here Note: do not use a buffer overflow*/
return 0; 
}

void main(){
int x;
x=0;
if(function("..."))
x=1;
printf("%d\n",x);
}

MosaicFuneral 812 Nearly a Posting Virtuoso

15 Years Ago

What does your book say about pass parameters, and altering them?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

zoner7 22 Junior Poster · Answer 1 · 2009-01-27T01:12:10+00:00

yeah... forgot to mention that he told us explicitly not to do that. If I remember right, if I were to use a buffer overflow and consequently receive a segmentation error, I would have the same result.

zoner7 22 Junior Poster · Answer 2 · 2009-01-27T01:28:17+00:00

I think this is what it should look like... I'm not exactly sure what to do with the pointer syntax in the functions. Why do I not define *source before I call it in the function? Is it because I use char*course in the prototype?

void Function(char *source) {
char buffer = [10]
source = buffer
(*source) = source + 12 // might be 14 depending upon whether or not the address of the source begins after at 10 or 12.  Although the buffer has 10 bits, it is 2 words long, so it actually occupies 12 bits.  Will source's address begin at 10 or begin at 12?
}

void main(){
int x;
x=0;
Function(*source)
x=1;
printf("%d\n",x);
}

zoner7 22 Junior Poster · Answer 3 · 2009-01-27T04:27:19+00:00

we actually don't have a book...
Plus this class is wayy past the basics. I'm just taking it randomly. I've never formally been taught a computer language.
I guess this works a little bit better

void Function(char *source) {
char buffer = [10];
source = buffer;
(*source) = source + 12 /* So I need 4 bytes to pass the SFP.
another 4 bytes to overwrite the return address.
and then another 4 bytes to overwrite the x=1. */
}

void main(){
char *source = 0;
int x;
x=0;
Function(source)
x=1;
printf("%d\n",x);
}

zoner7 22 Junior Poster · Answer 4 · 2009-01-27T07:47:54+00:00

okay. So now I have a much better idea of what I'm doing.
I got most of it right now.

#include <stdio.h>
void Function(char *source) {
int buffer[10];
int *ret;
ret = buffer + 16;
(*ret) = ret + 10;
}
void main(){
int x = 0;
Function("gsgrw")
x=1;
printf("%d\n",x);
}

so, the stack looks as follows:
[buffer][SFP][return address][x = 1]

I placed the address of ret at buffer + 16. We want the address of ret to begin after the 10 bit buffer (but this is more than two words, so the buffer must be 12 bits long) and after the 4 bit SFP. 12 + 4 = 16.

Using the assembly code (assembly code below), I need to determine how many bits are in between the beginning of the address of ret and at the end of the address x=1.

We know that the address of ret begins when the call function ends.
That happens at main + 26.

the x=1 begins at main +29 and ends at main +36
.
so we want to write over these bits with random code. So we extend the length of the ret value by 10.

Here is the assembly:

Dump of assembler code for function main:
0x08048438 <main+0>: push %ebp
0x08048439 <main+1>: mov %esp,%ebp
0x0804843b <main+3>: sub $0x8,%esp
0x0804843e <main+6>: movl $0x0,0xfffffffc(%ebp)
0x08048445 <main+13>: sub $0xc,%esp
0x08048448 <main+16>: push $0x8048560
0x0804844d <main+21>: call 0x804841c <function>
0x08048452 <main+26>: add $0x10,%esp
0x08048455 <main+29>: movl $0x1,0xfffffffc(%ebp)
0x0804845c <main+36>: sub $0x8,%esp
0x0804845f <main+39>: pushl 0xfffffffc(%ebp)
0x08048462 <main+42>: push $0x8048564
0x08048467 <main+47>: call 0x8048310 <__deregister_frame_info@plt+32>
0x0804846c <main+52>: add $0x10,%esp
0x0804846f <main+55>: leave
0x08048470 <main+56>: ret
0x08048471 <main+57>: nop
0x08048472 <main+58>: nop
0x08048473 <main+59>: nop

Thank you for any help