Last active
July 11, 2019 14:41
-
-
Save jstaursky/8649605bf6de52b72e9008149473bace to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// gcc --static -m32 -fno-stack-protector bufExploits1.c -g -o ex1 | |
// If using gcc on windows, gcc -static-libgcc -bufExploits1.c -m32 -fno-stack-protector -g -o ex1 | |
/* | |
* NOTE: Windows 10 will trigger windows defender and quarantine the exe before you can run it. | |
* I kept getting the threat warning for "Trojan:win32/Conteban.B!ml" -- not sure why, guess windows doesn't like stack smashing. | |
* You will need to first restore the exe from windows defender to let windows know this behavior is okay for this program. | |
*/ | |
#ifdef _WIN32 | |
#include <windows.h> | |
#endif | |
#include <stdio.h> | |
#include <stdint.h> // uintptr_t | |
#include <stdlib.h> // exit (EXIT_SUCCESS) | |
void underflowFunc () | |
{ | |
puts ("Hello from underflowFunc"); | |
#ifdef _WIN32 | |
MessageBox (NULL, "Hello from underflowFunc", "Stack Smash pt 2", MB_OK); | |
#endif | |
exit (EXIT_SUCCESS); | |
} | |
// overflowFunc's runtime stack frame. | |
// | |
/* lower memory higher memory | |
* addresses ebp ret ~q addresses | |
* <---- [ ][ ][ ] ----> | |
* top of bottom of | |
* stack stack | |
* | |
* NOTE | |
* stack shows ~q since the prev frame never actually set this, contains | |
* undefined data. | |
*/ | |
void overflowFunc (uintptr_t *q) | |
{ | |
puts ("Hello from overflowFunc"); | |
#ifdef _WIN32 | |
MessageBox (NULL, "Hello from overflowFunc", "Stack Smash pt 1", MB_OK); | |
#endif | |
// setup for underflow (note &q - 1 == ebp + 4) | |
q = (uintptr_t *)(&q - 1); | |
// Overwrite stack return address with underflowFunc's address. | |
*q = (uintptr_t)underflowFunc; | |
} | |
// func's runtime stack frame. | |
// | |
/* lower memory higher memory | |
* addresses buf ebp ret p addresses | |
* <---- [ ][ ][ ][ ] ----> | |
* top of bottom of | |
* stack stack | |
*/ | |
void func (uintptr_t *p) | |
{ | |
char buf[13]; | |
p = (uintptr_t *)(buf + sizeof (buf) + 4); | |
// Overwrite stack return address with overflowFunc's address. | |
*p = (uintptr_t)overflowFunc; | |
} | |
int main () | |
{ | |
func (NULL); | |
puts ("This line will never be executed."); | |
return 0; | |
} | |
// Note | |
// | |
// You don't have to use function parameters for bufferOverflow exploits, but | |
// using function local variables is more complicated since there is no C | |
// standard for how local vars are ordered on the runtime stack, even running an | |
// optimization flag on the same compiler could change local variable layouts in | |
// memory. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment