All geek questions in one place

Why do I get "Can't find the associated current function" when I rewrite the ret address of the vulnerable program?

I want to use stack based buffer overflows for educational purposes.

There is a typical function called with the main parameter, which is set as input from the local buffer program where the parameter is stored. Given such input that nops+shellcode+address_shellcode , I will use it.

After debugging with gdb, I found the address of the shell code, since it will be passed as a parameter, and right after strcpy I examine the stack, and $ebp+8 , which is the return address, was successfully rewritten with the address of the shell code. Therefore, I have what I want. But when I took a step forward, I got:

 ->shellcode_address in ?? ()

and then

 Cannot find bound of current function

The return address matters what I want. Any ideas what is going on?

Also, when I execute it, I got a segmentation error, and I compiled it with the -g -fno-stack-protector . Why?

+4
source share
4 answers

The debugger has knowledge about where the code for functions in your program starts and ends, either because this information is provided when debugging data, or because it uses any external characters visible in the executable file to provide elementary information.

When the stack is in the correct state, it contains the return address of the calling function and, somewhere above it, the return address for the higher level calling function, etc. While you are executing various debugger commands, it uses these return addresses (and other information about the stack and the state of the process) to show you the names of these functions. This requires finding the return address in the debugger's knowledge of where the functions are located.

Once you overflow the buffer and corrupt the stack, the correct return address will be destroyed. Instead, you have a different address (one indicates your shellcode if your exploit worked). When the debugger tries to figure out which function is in this address, it fails because the address is not in any of the functions in your program.

When this error occurs, the debugger prints the error message that you see.

Usually, the debugger can still perform the basic functions: it can display registers and memory in your program, it can still execute single-stage and set breakpoints, etc. He will have problems with what requires a more complex interpretation: he cannot understand where the frames of the stack are, he cannot find local variables by name, etc.

+5
source

Assuming your Linux distribution is recent and you are working with x86ish architecture, you can no longer execute shell code from user space (this also applies to other architectures, I'm just not familiar with them). There are a number of reasons, in your case, most likely, setting nx bits. Go to the Linux security management pages and you will see a large number of default security measures; and google "breaking the stack for fun in 2011" for possible paths around it. Compiling with "-fno-stack-protector" means not setting the canary value; but this is not enough. If you want to do this for educational purposes, I suggest installing a virtual machine, such as a virtual box, and an old distribution on it.

0
source

You execute the code on the stack and ask GDB what function you are in.
Obviously, GDB is confusing because you do not have any function. Thus, it shows the address and "??"

You must compile with -no-stack-protector, because stack protection protects you from what you are trying to do.
I am not saying that there is no way around it, but more effort and a good understanding of the defense mechanism are required.

0
source

Most likely, you have a buffer overflow problem somewhere in a function (or something like that). It overwrites the current stack stack of your function with irrelevant data and destroys the return address in the process, which is usually stored there by the way. As a result, the code "returns" to some unpredictable place and cannot understand where it is returning. This causes an error message.

0
source

Source: https://habr.com/ru/post/1389437/

More articles:


All Articles