I'm currently taking a computer security class. The thing is, I haven't even taken an intro computer programming course. I taught myself a good deal of C++ back this summer, but I hardly know as much as the other students in the class.

we were asked to manipulate the following code so that the program returns x as 0 instead of 1.

So I need to manipulate the function in such a way that I alter the return address. I want to skip the x=1 step and, instead, go straight to the printf("%d\n", x)

void function(char *source) {
/* add stuff here  Note: do not use a buffer overflow*/
}
void main(){
int x;
x=0;
function("...")
x=1;
printf("%d\n",x);
}

Note: I am not looking for straight answers. I would like some guidance on where to start. I know that this is a pointer exercise.

int function(char *source) {
/* add stuff here Note: do not use a buffer overflow*/
return 0; 
}

void main(){
int x;
x=0;
if(function("..."))
x=1;
printf("%d\n",x);
}

yeah... forgot to mention that he told us explicitly not to do that. If I remember right, if I were to use a buffer overflow and consequently receive a segmentation error, I would have the same result.

I think this is what it should look like... I'm not exactly sure what to do with the pointer syntax in the functions. Why do I not define *source before I call it in the function? Is it because I use char*course in the prototype?

void Function(char *source) {
char buffer = [10]
source = buffer
(*source) = source + 12 // might be 14 depending upon whether or not the address of the source begins after at 10 or 12.  Although the buffer has 10 bits, it is 2 words long, so it actually occupies 12 bits.  Will source's address begin at 10 or begin at 12?
}

void main(){
int x;
x=0;
Function(*source)
x=1;
printf("%d\n",x);
}

we actually don't have a book...
Plus this class is wayy past the basics. I'm just taking it randomly. I've never formally been taught a computer language.
I guess this works a little bit better

void Function(char *source) {
char buffer = [10];
source = buffer;
(*source) = source + 12 /* So I need 4 bytes to pass the SFP.
another 4 bytes to overwrite the return address.
and then another 4 bytes to overwrite the x=1. */
}

void main(){
char *source = 0;
int x;
x=0;
Function(source)
x=1;
printf("%d\n",x);
}

okay. So now I have a much better idea of what I'm doing.
I got most of it right now.

#include <stdio.h>
void Function(char *source) {
int buffer[10];
int *ret;
ret = buffer + 16;
(*ret) = ret + 10;
}
void main(){
int x = 0;
Function("gsgrw")
x=1;
printf("%d\n",x);
}

so, the stack looks as follows:
[buffer][SFP][return address][x = 1]

I placed the address of ret at buffer + 16. We want the address of ret to begin after the 10 bit buffer (but this is more than two words, so the buffer must be 12 bits long) and after the 4 bit SFP. 12 + 4 = 16.


Using the assembly code (assembly code below), I need to determine how many bits are in between the beginning of the address of ret and at the end of the address x=1.

We know that the address of ret begins when the call function ends.
That happens at main + 26.

the x=1 begins at main +29 and ends at main +36
.
so we want to write over these bits with random code. So we extend the length of the ret value by 10.

Here is the assembly:

Dump of assembler code for function main:
0x08048438 <main+0>: push %ebp
0x08048439 <main+1>: mov %esp,%ebp
0x0804843b <main+3>: sub $0x8,%esp
0x0804843e <main+6>: movl $0x0,0xfffffffc(%ebp)
0x08048445 <main+13>: sub $0xc,%esp
0x08048448 <main+16>: push $0x8048560
0x0804844d <main+21>: call 0x804841c <function>
0x08048452 <main+26>: add $0x10,%esp
0x08048455 <main+29>: movl $0x1,0xfffffffc(%ebp)
0x0804845c <main+36>: sub $0x8,%esp
0x0804845f <main+39>: pushl 0xfffffffc(%ebp)
0x08048462 <main+42>: push $0x8048564
0x08048467 <main+47>: call 0x8048310 <__deregister_frame_info@plt+32>
0x0804846c <main+52>: add $0x10,%esp
0x0804846f <main+55>: leave
0x08048470 <main+56>: ret
0x08048471 <main+57>: nop
0x08048472 <main+58>: nop
0x08048473 <main+59>: nop

Thank you for any help

This article has been dead for over six months. Start a new discussion instead.