Buffer Overflow with Data from Standard Input and fgets()
As mentioned in the Read Using gets task, the gets()
function is prohibited in current programs.
Instead, the fgets()
function can be used.
Open the source code file read_stdin_fgets.asm
from the drills/tasks/read-stdin-fgets/support/
.
In the read_stdin_fgets.asm
source file, follow TODO 1 and change the gets()
function call to the fgets()
function call.
For the fgets()
call, read from standard input.
As an argument for the third parameter of fgets()
(of type FILE *
) you will use standard input.
To specify standard input, use the stdin
stream.
You will need to mark it as external using, at the beginning of the assembly language file, the construction:
extern stdin
stdin
is an address; to call fgets()
with standard input,
it is sufficient to pass on the stack the value from the stdin
address, i.e., using the construction:
push dword [stdin]
HINT Follow the manual page of the
fgets()
function to find out what parameters it receives. TIP Since thefgets()
function has 3 parameters (which occupy3 × 4 = 12
bytes) you will need to useadd esp, 12
after the function call, in restoring the stack, instead ofadd esp, 4
as in the case of the program above that usedgets()
. IMPORTANT Do not modify the assembly language code. Transmit the input string in the appropriate format to the standard input to generate a buffer overflow and to obtain the required result.
Follow TODO 2 in code and call fgets() instead of gets, but keep in mind that you will have to push a value big enough for the buffer size in order to produce an overflow. The result should be the same like in the read_stdin_gets task.
TIP As above, to transmit the input string for the program, it is recommended to write it in a file and then redirect that file to the corresponding program command. Redirecting the
payload
file to the program is done using a command like:
./read_stdin_fgets < payload
What happens if you push buffer_length - 1, instead of buffer_length. Why var is 0x004F4C46 now?
If you're having difficulties solving this exercise, go through this reading material.