Go Down

Topic: Handle memory (Read 14132 times) previous topic - next topic

DarkCoffee

Hi everyone,
I'm trying to use a buffer overflow to overwrite a return address with another memory address. I used this code:

Code: [Select]
void readSerialString () {

char buffer[8]; char smallBuffer[4]={0,0,0,0};

int sb;
if(Serial.available()) {
   while (Serial.available()){
       sb = Serial.read();
       buffer[indexB] = sb;
       indexB++;
   }
}
if( indexB > 0) {
   strcpy(smallBuffer,buffer);
   Serial.print("You said: ");
   for(count=0; count < indexB; count++) {
       Serial.print( smallBuffer[count] );
   }
   count = 0;
   indexB  = 0;
   Serial.println();
}

}


AWOL

This
Code: [Select]
if(Serial.available()) {
    while (Serial.available()){

rarely makes much sense; the "if" is redundant.

Quote
I'm trying to use a buffer overflow to overwrite a return address with another memory address.

Your code is incomplete and cannot compile.
What are you trying to do?

nickgammon


I'm trying to use a buffer overflow to overwrite a return address with another memory address.


Why?
Please post technical questions on the forum, not by personal message. Thanks!

More info: http://www.gammon.com.au/electronics

DarkCoffee

#3
Aug 13, 2013, 11:45 pm Last Edit: Aug 13, 2013, 11:46 pm by DarkCoffee Reason: 1
This is my code:

Code: [Select]
#define F_CPU=16000000
#define ARDUINO 100
#include "Arduino.h"
#include <stdio.h>

int  indexB  = 0;
int  count = 0;

void setup();
void loop();
void readSerialString ();
void printHacked();


void setup(){
Serial.begin(115200);
Serial.println("Hello World");
}

void loop(){
readSerialString();
Serial.println ("-");
delay(1500);
}

void readSerialString () {
char buffer[8];
char smallBuffer[4]={0,0,0,0};

int sb;
if(Serial.available()) {
while (Serial.available()){
sb = Serial.read();
buffer[indexB] = sb;
indexB++;
}
}
if( indexB > 0) {
strcpy(smallBuffer,buffer);
Serial.print("You said: ");
for(count=0; count < indexB; count++) {
Serial.print( smallBuffer[count] );
}
count = 0;
indexB  = 0;
Serial.println();
}
}

void printHacked(){
Serial.println("Hacked!");
}


I want print "Hacked!" on the terminal using the buffer overflow. In another word I want to write on the terminal a sequence of character (for example:HelloHelloHello) reaching the return address and adding the address of the function printHacked after the those character (for example: HelloHelloHello\x00\x00\x00\x00 if the address of the function is 0x000000) in order to have printed "Hacked!".

AWOL

Code: [Select]
#define F_CPU=16000000
?

Quote
I want print "Hacked!" on the terminal using the buffer overflow

You'll have to expand on that sentence, particularly with reference to "buffer overflow"

Docedison

--> WA7EMS <--
"The solution of every problem is another problem." -Johann Wolfgang von Goethe
I do answer technical questions PM'd to me with whatever is in my clipboard

holmes4

If (as it sounds) your trying to change the return address of a called function then you are being very very stupid!

Mark

DarkCoffee


Code: [Select]
#define F_CPU=16000000
?

I'm working with Atmel Studio 6 so I need that line.
Quote
I want print "Hacked!" on the terminal using the buffer overflow

You'll have to expand on that sentence, particularly with reference to "buffer overflow"

Like in the "Exploiting stack buffer overflows" here: http://en.wikipedia.org/wiki/Stack_buffer_overflow


Why Hacked?

I'm working on a university project

DarkCoffee


If (as it sounds) your trying to change the return address of a called function then you are being very very stupid!

Mark

If you can explain me the reason, maybe I can understand better!
printHacked() is not called anywhere...

holmes4

If you want to print the address of a function then take its address and print it.

If you want to make Serials output buffer overflow then you can't! (the code stops this).

Mark

nickgammon

When I compiled your program on the Arduino IDE the compiler optimized away the printHacked function completely, so it definitely won't be called.
Please post technical questions on the forum, not by personal message. Thanks!

More info: http://www.gammon.com.au/electronics

DarkCoffee


When I compiled your program on the Arduino IDE the compiler optimized away the printHacked function completely, so it definitely won't be called.

What do you mean with optimized away? It won't be in a memory of the board after the upload?

If you want to print the address of a function then take its address and print it.

If you want to make Serials output buffer overflow then you can't! (the code stops this).

Mark

Would you please explain me a little bit more?
I don't want to print the address, I want to write a string in the terminal con the address of the printHacked() in a way that will be called like the link that I posted before.
But, I'm also interested on how to print the address for my knolodge. How can I do it?

P.S.: Thank you everyone for helping me.

nickgammon


What do you mean with optimized away? It won't be in a memory of the board after the upload?


That's right. You don't call the function so the compiler knows you don't need it.
Please post technical questions on the forum, not by personal message. Thanks!

More info: http://www.gammon.com.au/electronics

holmes4

Quote
What do you mean with optimized away? It won't be in a memory of the board after the upload?


It was not called so the compiler just binned it!

To get the address just use the address operator.

You can't force a call to printHacked(), and its very silly to try.

Mark

DarkCoffee



What do you mean with optimized away? It won't be in a memory of the board after the upload?


That's right. You don't call the function so the compiler knows you don't need it.


Ok, so if I call once at the setup the function will be on the board. I tried the attack but still doesn't work.
For example I wrote "1234567891234\x00\x00\x00\x02\x19" on the terminal and it showed me: "You said: 1234567891234\x00\x00\Hello World" but not "Hacked!"


Quote
What do you mean with optimized away? It won't be in a memory of the board after the upload?


It was not called so the compiler just binned it!

To get the address just use the address operator.

You can't force a call to printHacked(), and its very silly to try.

Mark

No, it's not silly and stupid, and please stop being so rude. It's for a project so I don't think the professor is silly or stupid!

Can you give me an example of how to use the address operator?

Go Up