Hi everytbody,
I would like to continue my previous post regarding the buffer overflow, in this tutorial I want to share about how to calculte on how long is the bytes that we should pass in order to overflow the buffer to that could change the return address
We can use two methods here where we can calculate manually or we can use pattern to detect it.
First I would like to share how to manually calculate it
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void showData(char * input){
char dest[50];
memcpy(dest, input, strlen(input));
printf("Print = %s\n", dest);
}
int main()
{
char input [1000];
gets(input);
showData(input);
return 0;
}
We will be very lucky if we have he source code of the original code like the above. We can analyze that the above code buffer will overflow if we put data more than 50 bytes. But surprisingly if we put more than 50 bytes to the buffer the application will still work normal like below.
Let see why the above payload would keep the applicatio work as normal
So we can see the above stack eventhough the buffer overflow happened but the stack remain OK since it does not overide any crucial memory that disturb the application flow.
1. Manual Calculation
So how many is actually the bytes that we need to start the disturb the application flow
We can see that the memcpy will return the first address that hold the copied buffer address. We can see the first address from the EAX = 0061FADE
So we can calculate that how much bytes in order to reach the return address by with this formula = RET_ADDRESS – BUFFER_ADDRESS
Number of buffer = 0061FB1C – 0061FADE
Number of buffer = 62
2. Offset Pattern
The most common practice to calculate the buffer required to reach return address is by using pattern. So we need to generate the payload pattern and to allow the buffer overflow happen and raise the segfault with the return address error. The return address error will give us the specific payload that we input with specific sequence of offset pattern.
Lets do it. First we need to generate patter using the easies way to use the web from https://projects.jason-rush.com/tools/buffer-overflow-eip-offset-string-generator/
The first step let generate the pattern with 100 buffer length
Copy the string generated and pass it to the application and let the error raised
Error raised from IDA like below
Take the address higlighted 31634130 and put back to the website
Based on the above pattern the offset detected is at sequence 62. So it means we need to have 62 bytes of payload in order to start compromise the return address.
Return Address Compromise
After we have known the offset then we can start putting the address that we want to become the new return address. We can do it by MALICIOUS ADDRESS = PAYLOAD + NEW_RETURN_ADDRESS
