Dalannar Dalannar - 7 days ago 8
C Question

Buffer overflows: writing 7 in hexadecimal without 'null terminator' (0x00)

I'm trying to exploit a buffer overflow vulnerability to overwrite the return address of the stack.

However the code I'm trying to 'hack' makes use canary system. It initializes an integer always to the same hard coded value, 7, and checks to see later if that variable is still the same.

I can create a buffer overflow, and I can write over this variable, however I am having trouble writing the correct value. The buffer overflow is caused by the incorrect use of strcpy. The input is given through the contents of a file, shown below:

0000000: 6132 3334 3536 3738 395f 6232 3334 3536 a23456789_b23456
0000010: 3738 3907 00 789..


The last 2 hexadecimal values (07 00) is where I'm having trouble. 07 is the value I'm trying to place in the variable (it gets placed in the correct memory position). However I believe I need to write 00 in the next position, otherwise the variable takes on a larger value than 7.

The problem with 00, is that it is acting as a null terminator for strcpy, which means I can't supply anymore information after it, and thus can't overwrite the return address.

Is this situation possible to overcome, or is it just impossible to supply the correct value without the use of 0x00 ?

EDIT:

The code (mostly abbreviated to the point):

void getwd(char *path)
{
strcpy( path, mapped_path );
return path;
}

void pwd(void)
{

int canary = 7;
char path[MAXPATHLEN + 1];

if (getwd(path) == (char *) NULL)
{
printf("Couldn't get current directory!\n");
}
else
{
printf("Current directory = %s\n", path);
printf("max strlen(path) is %d, strlen(path) = %d\n", MAXPATHLEN-1, strlen(path));
printf("Canary should be 7. Canary = %d\n", canary);
if (canary != 7)
printf("ALERT: path[MAXPATHLEN + 1] has been overflowed!\n");
}
}


The buffer overflow is happening in getwd, where mapped_path is larger than path. mapped_path at that point can hold whatever values you want.

Answer

You would have to inject actual shellcode, that programmatically inserts the integer 7 at this specific position.

First step is to find the return address and set this to a particular position in the buffer.

Second step is to place a zero-free shellcode at the predefined position and let the shellcode set the variable to 7 again.

Zero-free shellcode is not hard to write, because of the many possible ways to zero out a variable without using the actual digit like xor eax, eax (if you are familiar with assembly).

If you have never done this before, it would probably take much time to achieve this goal.