Hi Everybody,
Today I would like to share the basic of stack return address overwrite that become the fundamental of buffer overflow concept.
In this post, I would make a tutorial on how overwrite the return address from the stack in order to execute a hidden function in our application. The tools that I am going to use is IDA
Lets compile our simple application C code like below
#include <iostream>
using namespace std;
int function_2() {
printf("Executing Hidden Function");
return 2;
}
int function_1(int param) {
printf("Function 1 %d \n", param);
return 1;
}
int main()
{
function_1(7);
}
Based on the above code, The function_2 will never be executed since there is no function call to the function_2. here is he challenge
Once the application get compiled. Lets load it into IDA. But before that please deactivate your OS ASLR in order to make the memory mapping easier
Main Function
Function 1
Function 2
Based on the above assembly code, with the ASLR is being disabled then there is no different between memory mapping in the file and in the memory during the PE is being executed.
Just to refresh our memory abou the stack. Here is the stack structure compared to the actual function.
Our target is not manipulate the return address section in the stack to manipulate the application flow.
What is actually return address ?
Every time a CALL instruction is executed, its return address is pushed onto the stack. Every time a RETURN instruction enters the pipeline, the next address is popped off the stack and the processor continues fetching from the associated address seamlessly
Let simulate it
Put our break point in the main function in the call function_1(int)
Run debug and analyze the stack frame for that call. As we can see before the function call happen. The function parameter has been pushed into the stack as shown below so that now the parameter is at the very top of the stack. The next step is to press F7 to go into the function
When the call to the function_1 was executed, The return address was also pushed into the stack. So now the return address is at the very top of the stack. In our application now, the return address 0004104A is pushed to the stack
In order to prepare our jump to the hidden function, We need to identify the function memory address to enable us to jump to that function. Based on the image below, the address of the hidden function_2 is at 00041000
Now, Lets continue the application flow. We will debug the application run untill before the function_1 will return to the main function
As we can see above, Just before the function would return back to the main function, The address of the return address is now at the very top of the stack as we can identify that ESP is now pointing to the address 008FFD40.
Lets do the flow manipulation. As we can see from the stack. The return address is pointing back to the main function address that is right after the function call for call function_1
In order to manipulate the flow, We need to change the return address to our hidden function. Here is on how to do it.
1. Right click on the return address in the stack window.
2. Click Edit
3. Change the address from 0004104A to 00041000
4. Right click again and press apply changes
note : 00041000 is the address of Hidden function_2
Stack before change
Stack After change
Now IDA detect that the return address is pointing to the function_2 instead of main function
After we have success changing the return address. then we can validate by continuing the debug process. Pressing F8 to continue our debug. We can verify that we are now in the hidden function_2
We see that in the console. it successfully print the prinf code
Ok.. That is all the tutorial. Happy reversing …
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 