ARM buffer overflow: chapter 2 ( ° ͜ʖ °) (day 59)

Back again with the ARM buffer overflow tutorial. In this post, we will try to redirect the flow of program execution by hijacking the PC (EIP) register inside the program

for proof of concept we are going to use the following code from stack4 protostar:

#include <stdio.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

It is pretty clear that we need to redirect the flow of the execution to win() function. Ok! first we need to compile the code with the following flag.






The next step is to find how many offsets of bytes that we need to overwrite the PC register. Since my raspberry pi doesn't have an internet connection to download the usual tool, it looks like we need to create our own pattern generator.




the following python script will generate all alphabets including lowercase and uppercase and also digits. Each loop will multiply each character into 4 so we will have enough character to try




Put it into your program and run gdb along with it

 

cool so we crash the program and we can translate the following hex code with python.



from this result, we can see that we need 68 bytes of offsets to overflow the PC register. Let's try to check if we got the right count





We got the offset right. Next is to find the location of win() function inside the program.



we got the location and update the python script into:

import struct

padding = "A" * 68
win_function = struct.pack(0x01044c)

print padding + win_function

 

ok so we try the exploit at gdb environment and it works flawlessly and in the end, you can try it outside the gdb

Well! that's the end of part 2 as you can see it's a pretty short post since the flow of the exploitation is actually the same when we do buffer overflow in intel x86

Hope you enjoy this post :)