I tried to reproduce the example in Fig. 5 https://www.usenix.org/system/files/sec20-lehmann.pdf
It seems like the write direction is the same as the grow direction of the Stack.
Is there a possibility to change the writing direction?
Compiled with clang (llvm 18):
/usr/lib/llvm-18/bin/clang --sysroot /tmp/wasi-libc -Wl,--no-entry -Wl,--export-all -Wall -Wextra -O3 -Wl,--stack-first --target=wasm32-unknown-wasi -o buffer_overflow.wasm buffer_overflow.c
Code excerpt:
void vulnerable() {
const char same_frame[8] = "BBBBBBBB";
char buffer[8];
scanf("%[^\n]", buffer);
printf("\n\nbuffer: %s\n", buffer);
printf("same_frame: %s\n", same_frame);
}
void parent() {
char parent_frame[8] = "AAAAAAAA";
vulnerable();
printf("parent_frame: %s\n", parent_frame);
for (size_t* i = (size_t*) parent_frame-40; i < (size_t*) (parent_frame+40); i++) // (parent_frame-40)
printf("%p %08zx \n", i, *i);
}
when entering 12xC. It overwrites the same_frame buffer.
buffer: CCCCCCCCCCCC
same_frame: CCCC
parent_frame: AAAAAAAACCCCCCCCCCCC
Stack:
0xffd4 00000000
0xffd8 41414141
0xffdc 41414141
0xffe0 43434343
0xffe4 43434343
0xffe8 43434343
0xffec 42424200
0xfff0 00000000
0xfff4 00000000
Last updated: Dec 23 2024 at 12:05 UTC