Handle memory

system · August 13, 2013, 9:29pm

Hi everyone,
I'm trying to use a buffer overflow to overwrite a return address with another memory address. I used this code:

void readSerialString () { 

char buffer[8]; char smallBuffer[4]={0,0,0,0};

int sb;
if(Serial.available()) {
    while (Serial.available()){
        sb = Serial.read();
        buffer[indexB] = sb;
        indexB++;
    }
}
if( indexB > 0) {
    strcpy(smallBuffer,buffer);
    Serial.print("You said: ");
    for(count=0; count < indexB; count++) {
        Serial.print( smallBuffer[count] );
    }
    count = 0;
    indexB  = 0;
    Serial.println();
}

}

system · August 13, 2013, 9:34pm

This

if(Serial.available()) {
    while (Serial.available()){

rarely makes much sense; the "if" is redundant.

I'm trying to use a buffer overflow to overwrite a return address with another memory address.

Your code is incomplete and cannot compile.
What are you trying to do?

nickgammon · August 13, 2013, 9:41pm

DarkCoffee:
I'm trying to use a buffer overflow to overwrite a return address with another memory address.

Why?

system · August 13, 2013, 9:45pm

This is my code:

#define F_CPU=16000000
#define ARDUINO 100
#include "Arduino.h"
#include <stdio.h>

int  indexB  = 0;
int  count = 0;

void setup();
void loop();
void readSerialString ();
void printHacked();


void setup(){
	Serial.begin(115200);
	Serial.println("Hello World");
}

void loop(){
	readSerialString();
	Serial.println ("-");
	delay(1500);
}

void readSerialString () {
	char buffer[8];
	char smallBuffer[4]={0,0,0,0};

	int sb;
	if(Serial.available()) {
		while (Serial.available()){
			sb = Serial.read();
			buffer[indexB] = sb;
			indexB++;
		}
	}
	if( indexB > 0) {
		strcpy(smallBuffer,buffer);
		Serial.print("You said: ");
		for(count=0; count < indexB; count++) {
			Serial.print( smallBuffer[count] );
		}
		count = 0;
		indexB  = 0;
		Serial.println();
	}
}

void printHacked(){
	Serial.println("Hacked!");
}

I want print "Hacked!" on the terminal using the buffer overflow. In another word I want to write on the terminal a sequence of character (for example:HelloHelloHello) reaching the return address and adding the address of the function printHacked after the those character (for example: HelloHelloHello\x00\x00\x00\x00 if the address of the function is 0x000000) in order to have printed "Hacked!".

system · August 13, 2013, 9:47pm

#define F_CPU=16000000

?

I want print "Hacked!" on the terminal using the buffer overflow

You'll have to expand on that sentence, particularly with reference to "buffer overflow"

Docedison · August 13, 2013, 9:49pm

Why Hacked?

holmes4 · August 13, 2013, 9:56pm

If (as it sounds) your trying to change the return address of a called function then you are being very very stupid!

Mark

system · August 13, 2013, 10:02pm

AWOL:

#define F_CPU=16000000

?

I'm working with Atmel Studio 6 so I need that line.

AWOL:

I want print "Hacked!" on the terminal using the buffer overflow

You'll have to expand on that sentence, particularly with reference to "buffer overflow"

Like in the "Exploiting stack buffer overflows" here: Stack buffer overflow - Wikipedia

Docedison:
Why Hacked?

I'm working on a university project

system · August 13, 2013, 10:05pm

holmes4:
If (as it sounds) your trying to change the return address of a called function then you are being very very stupid!

Mark

If you can explain me the reason, maybe I can understand better!
printHacked() is not called anywhere...

holmes4 · August 13, 2013, 10:17pm

If you want to print the address of a function then take its address and print it.

If you want to make Serials output buffer overflow then you can't! (the code stops this).

Mark

nickgammon · August 13, 2013, 10:19pm

When I compiled your program on the Arduino IDE the compiler optimized away the printHacked function completely, so it definitely won't be called.

system · August 13, 2013, 10:38pm

What do you mean with optimized away? It won't be in a memory of the board after the upload?

holmes4:
If you want to print the address of a function then take its address and print it.

If you want to make Serials output buffer overflow then you can't! (the code stops this).

Mark

Would you please explain me a little bit more?
I don't want to print the address, I want to write a string in the terminal con the address of the printHacked() in a way that will be called like the link that I posted before.
But, I'm also interested on how to print the address for my knolodge. How can I do it?

P.S.: Thank you everyone for helping me.

nickgammon · August 13, 2013, 10:42pm

DarkCoffee:
What do you mean with optimized away? It won't be in a memory of the board after the upload?

That's right. You don't call the function so the compiler knows you don't need it.

holmes4 · August 13, 2013, 10:43pm

What do you mean with optimized away? It won't be in a memory of the board after the upload?

It was not called so the compiler just binned it!

To get the address just use the address operator.

You can't force a call to printHacked(), and its very silly to try.

Mark

system · August 13, 2013, 11:01pm

Ok, so if I call once at the setup the function will be on the board. I tried the attack but still doesn't work.
For example I wrote "1234567891234\x00\x00\x00\x02\x19" on the terminal and it showed me: "You said: 1234567891234\x00\x00\Hello World" but not "Hacked!"

holmes4:

What do you mean with optimized away? It won't be in a memory of the board after the upload?

It was not called so the compiler just binned it!

To get the address just use the address operator.

You can't force a call to printHacked(), and its very silly to try.

Mark

No, it's not silly and stupid, and please stop being so rude. It's for a project so I don't think the professor is silly or stupid!

Can you give me an example of how to use the address operator?

KeithRB · August 13, 2013, 11:12pm

He is using the same vector as the internet worm.

KeithRB · August 13, 2013, 11:14pm

Address operator:

void *addr = &function_name;

holmes4 · August 13, 2013, 11:30pm

That wiki article needs a re-write but as the arduino has no os and no other programs running on it its not a problem any way.

Mark

nickgammon · August 13, 2013, 11:32pm

DarkCoffee:
Ok, so if I call once at the setup the function will be on the board. I tried the attack but still doesn't work.

I'm not surprised. The compiler may well "inline" the function call, and not put it where you are hoping it will go.

I don't see the point to this. You don't "hack" Arduinos in the same way you hack Windows PCs. For one thing, the program code is in flash memory and cannot be modified. This seems to me to be a pointless and (if I may say without giving offence) time-wasting exercise.

system · August 13, 2013, 11:38pm

I don't want modify the program code, I just want reach the return address of the function readSerialString() and overwrite it with another address.
I counted 8+4+1 bytes (8 for buffer, 4 for smallbuffer, 1 for sb) = 13 bytes.
I wrote "1234567891234\x19\x02\x00\x00" and I the board reset itself.
Do you know a way to understand where is the return address of that function?
Do you think is impossible to do it?

Topic		Replies	Views
overflowing the array serial buffer Programming Questions	8	3219	May 5, 2021
Best way to handle overflow? Programming Questions	14	6183	May 5, 2021
Memory overflow problem? Syntax & Programs	2	1951	May 6, 2021
Dealing with buffer overflow Programming Questions	15	1593	July 23, 2021
ICALL instruction on AVR Microcontrollers	2	1599	May 6, 2021

Handle memory

Related Topics