Return Address Overwrite

Hi Everybody,

Today I would like to share the basic of stack return address overwrite that become the fundamental of buffer overflow concept.

In this post, I would make a tutorial on how overwrite the return address from the stack in order to execute a hidden function in our application. The tools that I am going to use is IDA

Lets compile our simple application C code like below

#include <iostream>
using namespace std;

int function_2() {
    printf("Executing Hidden Function");
    return 2;
}

int function_1(int param) {
    printf("Function 1 %d \n", param);
    return 1;
}

int main()
{
    function_1(7);
}

Based on the above code, The function_2 will never be executed since there is no function call to the function_2. here is he challenge

Once the application get compiled. Lets load it into IDA. But before that please deactivate your OS ASLR in order to make the memory mapping easier

Main Function

Function 1

Function 2

Based on the above assembly code, with the ASLR is being disabled then there is no different between memory mapping in the file and in the memory during the PE is being executed.

Just to refresh our memory abou the stack. Here is the stack structure compared to the actual function.

Journey to the Stack, Part I | Many But Finite

Our target is not manipulate the return address section in the stack to manipulate the application flow.

What is actually return address ?

Every time a CALL instruction is executed, its return address is pushed onto the stack. Every time a RETURN instruction enters the pipeline, the next address is popped off the stack and the processor continues fetching from the associated address seamlessly

Let simulate it

Put our break point in the main function in the call function_1(int)

Run debug and analyze the stack frame for that call. As we can see before the function call happen. The function parameter has been pushed into the stack as shown below so that now the parameter is at the very top of the stack. The next step is to press F7 to go into the function

When the call to the function_1 was executed, The return address was also pushed into the stack. So now the return address is at the very top of the stack. In our application now, the return address 0004104A is pushed to the stack

In order to prepare our jump to the hidden function, We need to identify the function memory address to enable us to jump to that function. Based on the image below, the address of the hidden function_2 is at 00041000

Now, Lets continue the application flow. We will debug the application run untill before the function_1 will return to the main function

As we can see above, Just before the function would return back to the main function, The address of the return address is now at the very top of the stack as we can identify that ESP is now pointing to the address 008FFD40.

Lets do the flow manipulation. As we can see from the stack. The return address is pointing back to the main function address that is right after the function call for call function_1

In order to manipulate the flow, We need to change the return address to our hidden function. Here is on how to do it.

1. Right click on the return address in the stack window.
2. Click Edit
3. Change the address from 0004104A to 00041000
4. Right click again and press apply changes

note : 00041000 is the address of Hidden function_2

Stack before change

Stack After change

Now IDA detect that the return address is pointing to the function_2 instead of main function

After we have success changing the return address. then we can validate by continuing the debug process. Pressing F8 to continue our debug. We can verify that we are now in the hidden function_2

We see that in the console. it successfully print the prinf code

Ok.. That is all the tutorial. Happy reversing …

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s