jstaursky/bufExploits1.c

## bufExploits1.c
// gcc --static -m32 -fno-stack-protector bufExploits1.c -g -o ex1
// If using gcc on windows, gcc -static-libgcc -bufExploits1.c -m32 -fno-stack-protector -g -o ex1
/*
 * NOTE: Windows 10 will trigger windows defender and quarantine the exe before you can run it.
 *       I kept getting the threat warning for "Trojan:win32/Conteban.B!ml" -- not sure why, guess windows doesn't like stack smashing.
 *       You will need to first restore the exe from windows defender to let windows know this behavior is okay for this program.
 */
#ifdef _WIN32
#include <windows.h>
#endif

#include <stdio.h>
#include <stdint.h> // uintptr_t
#include <stdlib.h> // exit (EXIT_SUCCESS)

void underflowFunc ()
{
    puts ("Hello from underflowFunc");
#ifdef _WIN32
    MessageBox (NULL, "Hello from underflowFunc", "Stack Smash pt 2", MB_OK);
#endif

    exit (EXIT_SUCCESS);
}

// overflowFunc's runtime stack frame.
//
/*    lower memory                                         higher memory
 *    addresses                       ebp   ret   ~q        addresses
 *    <----                          [    ][    ][    ]     ---->
 *    top of                                               bottom of
 *    stack                                                stack
 *
 *    NOTE
 *    stack shows ~q since the prev frame never actually set this, contains
 *    undefined data.
 */
void overflowFunc (uintptr_t *q)
{
    puts ("Hello from overflowFunc");
#ifdef _WIN32
    MessageBox (NULL, "Hello from overflowFunc", "Stack Smash pt 1", MB_OK);
#endif
    // setup for underflow (note &q - 1 == ebp + 4)
    q = (uintptr_t *)(&q - 1);
    // Overwrite stack return address with underflowFunc's address.
    *q = (uintptr_t)underflowFunc;
}

// func's runtime stack frame.
//
/*    lower memory                                         higher memory
 *    addresses        buf            ebp   ret   p        addresses
 *    <----           [             ][    ][    ][    ]     ---->
 *    top of                                               bottom of
 *    stack                                                stack
 */
void func (uintptr_t *p)
{
    char buf[13];

    p = (uintptr_t *)(buf + sizeof (buf) + 4);
    // Overwrite stack return address with overflowFunc's address.
    *p = (uintptr_t)overflowFunc;
}

int main ()
{
    func (NULL);
    puts ("This line will never be executed.");
    return 0;
}
// Note
//
// You don't have to use function parameters for bufferOverflow exploits, but
// using function local variables is more complicated since there is no C
// standard for how local vars are ordered on the runtime stack, even running an
// optimization flag on the same compiler could change local variable layouts in
// memory.
	// gcc --static -m32 -fno-stack-protector bufExploits1.c -g -o ex1
	// If using gcc on windows, gcc -static-libgcc -bufExploits1.c -m32 -fno-stack-protector -g -o ex1
	/*
	* NOTE: Windows 10 will trigger windows defender and quarantine the exe before you can run it.
	* I kept getting the threat warning for "Trojan:win32/Conteban.B!ml" -- not sure why, guess windows doesn't like stack smashing.
	* You will need to first restore the exe from windows defender to let windows know this behavior is okay for this program.
	*/
	#ifdef _WIN32
	#include <windows.h>
	#endif

	#include <stdio.h>
	#include <stdint.h> // uintptr_t
	#include <stdlib.h> // exit (EXIT_SUCCESS)

	void underflowFunc ()
	{
	puts ("Hello from underflowFunc");
	#ifdef _WIN32
	MessageBox (NULL, "Hello from underflowFunc", "Stack Smash pt 2", MB_OK);
	#endif

	exit (EXIT_SUCCESS);
	}

	// overflowFunc's runtime stack frame.
	//
	/* lower memory higher memory
	* addresses ebp ret ~q addresses
	* <---- [ ][ ][ ] ---->
	* top of bottom of
	* stack stack
	*
	* NOTE
	* stack shows ~q since the prev frame never actually set this, contains
	* undefined data.
	*/
	void overflowFunc (uintptr_t *q)
	{
	puts ("Hello from overflowFunc");
	#ifdef _WIN32
	MessageBox (NULL, "Hello from overflowFunc", "Stack Smash pt 1", MB_OK);
	#endif
	// setup for underflow (note &q - 1 == ebp + 4)
	q = (uintptr_t *)(&q - 1);
	// Overwrite stack return address with underflowFunc's address.
	*q = (uintptr_t)underflowFunc;
	}

	// func's runtime stack frame.
	//
	/* lower memory higher memory
	* addresses buf ebp ret p addresses
	* <---- [ ][ ][ ][ ] ---->
	* top of bottom of
	* stack stack
	*/
	void func (uintptr_t *p)
	{
	char buf[13];

	p = (uintptr_t *)(buf + sizeof (buf) + 4);
	// Overwrite stack return address with overflowFunc's address.
	*p = (uintptr_t)overflowFunc;
	}

	int main ()
	{
	func (NULL);
	puts ("This line will never be executed.");
	return 0;
	}
	// Note
	//
	// You don't have to use function parameters for bufferOverflow exploits, but
	// using function local variables is more complicated since there is no C
	// standard for how local vars are ordered on the runtime stack, even running an
	// optimization flag on the same compiler could change local variable layouts in
	// memory.