Stack Overflow Exploit in C

Question

The question is actually about stack overflows in C. I have an assigment that I can not get done for the life of me, I\'ve looked at everything in the gdb and I just cant f

Answer 1

SoapBox already did a great job of leading you in the right direction.

For more information; http://www.skullsecurity.org/wiki/index.php/Example_4

Answer 2

You need to manipulate the stack-frame of the caller (main()), and arrange it in such a way that returning to shell_call() from the epilog of the overflowed victim_func() the latter could find a settled stack as it was been called by the main.

In doing so you probably have to mangle the frame-pointer in the stackframe of the victim, that will be restored in %ebp by means of leave.

Answer 3

I probably shouldn't do your homework for you. But the basically:

You need to get a character buffer somewhere in memory to store the string you want to execute. Obviously, you can do this the same way you are getting the other functions called (i.e. you put the text on the stack as well). After you have that written, you need to write a pointer to it on to the stack in the location that the shell_code function expects to find its arguments.

The best way to figure this out without me doing all of the work for you is to write down your stack/memory contents on a piece of paper/whiteboard. Write down how it would look if you called shell_code normally from inside the program. Then write down what the stack looks like inside victum_func and figure out which things to change to get it to look like it would look "naturally" (of course keeping in mind some things are "don't cares" like the return address).

That's all the charity you're gonna get from me today! :-P