Calculate Buffer Overflow

Reverse Engineering Leave a comment

Hi everytbody,

I would like to continue my previous post regarding the buffer overflow, in this tutorial I want to share about how to calculte on how long is the bytes that we should pass in order to overflow the buffer to that could change the return address

We can use two methods here where we can calculate manually or we can use pattern to detect it.

First I would like to share how to manually calculate it 

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void showData(char * input){
   char dest[50];
   memcpy(dest, input, strlen(input));
   printf("Print = %s\n", dest);
}

int main()
{
   char input [1000];
   gets(input);
   showData(input);
   return 0;
}

We will be very lucky if we have he source code of the original code like the above. We can analyze that the above code buffer will overflow if we put data more than 50 bytes. But surprisingly if we put more than 50 bytes to the buffer the application will still work normal like below.

Let see why the above payload would keep the applicatio work as normal

So we can see the above stack eventhough the buffer overflow happened but the stack remain OK since it does not overide any crucial memory that disturb the application flow.

1. Manual Calculation

So how many is actually the bytes that we need to start the disturb the application flow

We can see that the memcpy will return the first address that hold the copied buffer address. We can see the first address from the EAX = 0061FADE

So we can calculate that how much bytes in order to reach the return address by with this formula = RET_ADDRESS – BUFFER_ADDRESS

Number of buffer = 0061FB1C – 0061FADE

Number of buffer = 62

2. Offset Pattern

The most common practice to calculate the buffer required to reach return address is by using pattern. So we need to generate the payload pattern and to allow the buffer overflow happen and raise the segfault with the return address error. The return address error will give us the specific payload that we input with specific sequence of offset pattern.

Lets do it. First we need to generate patter using the easies way to use the web from https://projects.jason-rush.com/tools/buffer-overflow-eip-offset-string-generator/

The first step let generate the pattern with 100 buffer length

Copy the string generated and pass it to the application and let the error raised

Error raised from IDA like below

Take the address higlighted 31634130 and put back to the website

Based on the above pattern the offset detected is at sequence 62. So it means we need to have 62 bytes of payload in order to start compromise the return address.

Return Address Compromise

After we have known the offset then we can start putting the address that we want to become the new return address. We can do it by MALICIOUS ADDRESS = PAYLOAD + NEW_RETURN_ADDRESS

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s