Used Compiler: GCC 3.4.4 OS: Windows XP 32bit
With older C/C++ compilers (e.g gcc 3.4 or Visual Studio 6) it is possible to manipulate the stack frame to manipulate program execution (e.g. via corrupted return addresses) with buffer overruns.
Trying to show this failed due to the fact that all data I needed to copy included a byte of zeros at which copying always stops.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int checkauth(char *password)
{
int authflag = 0;
char passwordbuffer[10] = "aaaaaaa";
strcpy(passwordbuffer, password);
if(strcmp(passwordbuffer, "password")==0)
authflag = 1;
return authflag;
}
int main (int argc, char *argv[])
{
int authflag = 0;
char password[10] = "bbbbb";
if (argc < 2)
{
printf("Password missing");
exit(0);
}
authflag = checkauth(argv[1]);
if(authflag > 0)
printf(" password ok \r\n");
else
printf("wrong password, %s \r\n", argv[1]);
return 0;
}
As the Code shows I use command line argument to fill the buffer. This always stops at the first blank. I searched several examples (book: Hacking – the art of exploit, stackoverflow…) but all work with addresses which do not include a byte of zeros. The problem in this case depends on the saved stack-pointer (address includes byte of zeros) lying in memory in front of the return address, and the program always fails, if the stack pointer hasn’t some valid value.
The address I’d like to jump at would be 0x004013BA instead if 0x004013b1. The saved stack pointer got the value 0x0022ff78. Which means i'd need to fill the buffer with 43 bytes of something random and the stackpointer and the return address.
How is to solve this problem?
Thanks
The short answer: It is not possible.
The reason behind that is that c-strings are Null-Terminated. The function strcpy stops copying if 0x00 is read. That characteristic is also used in some buffer overflow protection features like ASCII-armor ASLR (RedHat Exec-Shield).