flat assembler
Message board for the users of flat assembler.

Index > Windows > Security Question.

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 06 Nov 2010, 21:34
Hello everyone Smile I'm trying to make program that will be vulnerable against buffer overflows.. But I fail. I don't know any reasons why my code fails.. Can someone write that for me ? Here's my code what I'm trying..
Code:
format PE CONSOLE 4.0
include 'win32ax.inc'
entry main
section '.data' data readable writeable
ovrflw db "AAAAAAAAAAAAAAAA",0
buffer db 1
section '.text' code readable executable
proc main
invoke lstrcpy,buffer,ovrflw
invoke ExitProcess,0
endp
section '.idata' import data readable
library user32,'user32.dll',kernel32,'kernel32.dll'
include 'API\USER32.INC'
include 'API\KERNEL32.INC'
section '.reloc' fixups data discardable    

and btw without using any C library. Is that possible or I'm doing something wrong ? Thanks.
Post 06 Nov 2010, 21:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20454
Location: In your JS exploiting you and your system
revolution 06 Nov 2010, 22:42
Overflowz: usually buffer overflows are on the stack.
Code:
    format PE CONSOLE 4.0
       include 'win32ax.inc'

section '.data' data readable writeable

        ovrflw  db      1000 dup ('A'),0;"AAAAAAAAAAAAAAAA",0

section '.text' code readable executable

proc main
        call    copy
        invoke  ExitProcess,0
endp

proc copy
      locals
              buffer  rb      256             ;buffer is too small
        endl
        invoke  lstrcpy,addr buffer,ovrflw      ;overflow
   ret                                     ;where will this return to?
endp

.end main    
Post 06 Nov 2010, 22:42
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 06 Nov 2010, 22:49
I don't understand.. locals/endl means buffer are defined in the stack ?
Post 06 Nov 2010, 22:49
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20454
Location: In your JS exploiting you and your system
revolution 06 Nov 2010, 23:04
Overflowz wrote:
I don't understand.. locals/endl means buffer are defined in the stack ?
Yes.
Post 06 Nov 2010, 23:04
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 06 Nov 2010, 23:30
and it can't be done in .data section ? like
Code:
section '.data' data readable writeable
locals
buffer rb 123
endl    

and what's difference between locals and globals ? Thanks.
Post 06 Nov 2010, 23:30
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20454
Location: In your JS exploiting you and your system
revolution 06 Nov 2010, 23:40
Locals are on the stack and only available to the proc that allocates them.

Globals are in preallocated memory available to the whole process.

You can certainly overflow your buffer in the data section but that usually doesn't make your code vulnerable to any attack (perhaps in rare circumstances, but I've never seen it). But when you overflow on the stack you also overwrite the return address and it becomes possible to start executing code that should not be executed.
Post 06 Nov 2010, 23:40
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 06 Nov 2010, 23:51
watch, I've done something like this and works fine.. Smile Overflow'ed successfully.
Code:
        format PE CONSOLE 4.0
        include 'win32ax.inc' 

section '.data' data readable writeable 
        msg     db   "Hello World!",0
        ovrflw  db 16 dup 0x41
        buff    dd 0x00402005 ;MessageBox Address
     ;  buff2   db 4 dup 0x43
        bend    db 0x0

section '.text' code readable executable 

proc main 
        call    copy ;Overflow and EIP = 00402005 
        invoke  MessageBox,0,msg,msg,MB_OK ;00402005
        invoke  ExitProcess,0 
endp 

proc copy 
        locals 
                buffer  rb      10
        endl 
        invoke  lstrcpy,addr buffer,ovrflw
        ret
endp 

.end main    

Thanks for info revolution! Smile
Post 06 Nov 2010, 23:51
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 07 Nov 2010, 03:47
Overflowz,

.data section is rarely useful for overflow attack (unless it contains some pointers); stack does contain them in good quantities.
Post 07 Nov 2010, 03:47
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.