In the code below when I try to overwrite the stack by exploiting the buffer overflow in the line below.
memcpy(&local_1d,*(void **)local_10[1],(ulong)*(uint *)(local_10[1] + 8));
I also overwrite the local_10 and get a referencing error.
void show(void)
{
undefined5 local_1d;
undefined3 uStack_18;
undefined5 uStack_15;
undefined8 *local_10;
if (DAT_00404050 == 0xff) {
puts("[-] No user has logged in yet.");
}
else {
local_10 = *(undefined8 **)(*(long *)(&DAT_004040a0 + (long)(int)(uint)DAT_00404050 * 8) + 0x10)
;
local_1d = 0;
uStack_18 = 0;
uStack_15 = 0;
puts("[~] Your favorites:");
for (; local_10 != (undefined8 *)0x0; local_10 = (undefined8 *)*local_10) {
memcpy(&local_1d,*(void **)local_10[1],(ulong)*(uint *)(local_10[1] + 8));
printf(" - Song: %s",&local_1d);
memcpy(&local_1d,*(void **)(local_10[1] + 0x10),(ulong)*(uint *)(local_10[1] + 0x18));
printf(" - %s",&local_1d);
memcpy(&local_1d,*(void **)(local_10[1] + 0x20),(ulong)*(uint *)(local_10[1] + 0x28));
printf(" - %s\n",&local_1d);
}
}
return;
}
In the assembly I get the error in the address 004019b9.
0x4019b9 mov rax, qword ptr [rax]
**************************************************************
* FUNCTION *
**************************************************************
undefined show_favorites()
undefined <UNASSIGNED> <RETURN>
undefined8 Stack[-0x10]:8 local_10 XREF[10]: 004018c5(W),
004018ed(R),
004018fa(R),
0040192f(R),
0040193c(R),
00401972(R),
0040197f(R),
004019b5(R),
004019bc(W),
004019c0(R)
undefined8 Stack[-0x1d]:8 local_1d XREF[7,1]: 004018c9(W),
00401905(*),
00401914(*),
00401948(*),
00401957(*),
0040198b(*),
0040199a(*),
004018d1(W)
show_favorites XREF[3]: main:004013da(c), 004022c4,
00402478(*)
0040187b 55 PUSH RBP
0040187c 48 89 e5 MOV RBP,RSP
0040187f 48 83 ec 20 SUB RSP,0x20
00401883 0f b6 05 MOVZX EAX,byte ptr [DAT_00404050] = FFh
c6 27 00 00
0040188a 3c ff CMP AL,0xff
0040188c 75 14 JNZ LAB_004018a2
0040188e 48 8d 05 LEA RAX,[s_[-]_No_user_has_logged_in_yet._00402180] = "[-] No user has logged in yet."
eb 08 00 00
00401895 48 89 c7 MOV RDI=>s_[-]_No_user_has_logged_in_yet._00402180 = "[-] No user has logged in yet."
00401898 e8 a3 f7 CALL <EXTERNAL>::puts int puts(char * __s)
ff ff
0040189d e9 29 01 JMP LAB_004019cb
00 00
LAB_004018a2 XREF[1]: 0040188c(j)
004018a2 0f b6 05 MOVZX EAX,byte ptr [DAT_00404050] = FFh
a7 27 00 00
004018a9 0f b6 c0 MOVZX EAX,AL
004018ac 48 98 CDQE
004018ae 48 8d 14 LEA RDX,[RAX*0x8]
c5 00 00
00 00
004018b6 48 8d 05 LEA RAX,[DAT_004040a0]
e3 27 00 00
004018bd 48 8b 04 02 MOV RAX,qword ptr [RDX + RAX*0x1]=>DAT_00404898
004018c1 48 8b 40 10 MOV RAX,qword ptr [RAX + 0x10]
004018c5 48 89 45 f8 MOV qword ptr [RBP + local_10],RAX
004018c9 48 c7 45 MOV qword ptr [RBP + local_1d],0x0
eb 00 00
00 00
004018d1 48 c7 45 MOV qword ptr [RBP + local_1d+0x5],0x0
f0 00 00
00 00
004018d9 48 8d 05 LEA RAX,[s_[~]_Your_favorites:_00402220] = "[~] Your favorites:"
40 09 00 00
004018e0 48 89 c7 MOV RDI=>s_[~]_Your_favorites:_00402220,RAX = "[~] Your favorites:"
004018e3 e8 58 f7 CALL <EXTERNAL>::puts int puts(char * __s)
ff ff
004018e8 e9 d3 00 JMP LAB_004019c0
00 00
LAB_004018ed XREF[1]: 004019c5(j)
004018ed 48 8b 45 f8 MOV RAX,qword ptr [RBP + local_10]
004018f1 48 8b 40 08 MOV RAX,qword ptr [RAX + 0x8]
004018f5 8b 40 08 MOV EAX,dword ptr [RAX + 0x8]
004018f8 89 c2 MOV EDX,EAX
004018fa 48 8b 45 f8 MOV RAX,qword ptr [RBP + local_10]
004018fe 48 8b 40 08 MOV RAX,qword ptr [RAX + 0x8]
00401902 48 8b 08 MOV RCX,qword ptr [RAX]
00401905 48 8d 45 eb LEA RAX=>local_1d,[RBP + -0x15]
00401909 48 89 ce MOV RSI,RCX
0040190c 48 89 c7 MOV RDI,RAX
0040190f e8 4c f7 CALL <EXTERNAL>::memcpy void * memcpy(void * __dest, voi
ff ff
00401914 48 8d 45 eb LEA RAX=>local_1d,[RBP + -0x15]
00401918 48 89 c6 MOV RSI,RAX
0040191b 48 8d 05 LEA RAX,[s_-_Song:_%s_00402234] = " - Song: %s"
12 09 00 00
00401922 48 89 c7 MOV RDI=>s_-_Song:_%s_00402234,RAX = " - Song: %s"
00401925 b8 00 00 MOV EAX,0x0
00 00
0040192a e8 81 f7 CALL <EXTERNAL>::printf int printf(char * __format, ...)
ff ff
0040192f 48 8b 45 f8 MOV RAX,qword ptr [RBP + local_10]
00401933 48 8b 40 08 MOV RAX,qword ptr [RAX + 0x8]
00401937 8b 40 18 MOV EAX,dword ptr [RAX + 0x18]
0040193a 89 c2 MOV EDX,EAX
0040193c 48 8b 45 f8 MOV RAX,qword ptr [RBP + local_10]
00401940 48 8b 40 08 MOV RAX,qword ptr [RAX + 0x8]
00401944 48 8b 48 10 MOV RCX,qword ptr [RAX + 0x10]
00401948 48 8d 45 eb LEA RAX=>local_1d,[RBP + -0x15]
0040194c 48 89 ce MOV RSI,RCX
0040194f 48 89 c7 MOV RDI,RAX
00401952 e8 09 f7 CALL <EXTERNAL>::memcpy void * memcpy(void * __dest, voi
ff ff
00401957 48 8d 45 eb LEA RAX=>local_1d,[RBP + -0x15]
0040195b 48 89 c6 MOV RSI,RAX
0040195e 48 8d 05 LEA RAX,[s_-_%s_00402243] = " - %s"
de 08 00 00
00401965 48 89 c7 MOV RDI=>s_-_%s_00402243,RAX = " - %s"
00401968 b8 00 00 MOV EAX,0x0
00 00
0040196d e8 3e f7 CALL <EXTERNAL>::printf int printf(char * __format, ...)
ff ff
00401972 48 8b 45 f8 MOV RAX,qword ptr [RBP + local_10]
00401976 48 8b 40 08 MOV RAX,qword ptr [RAX + 0x8]
0040197a 8b 40 28 MOV EAX,dword ptr [RAX + 0x28]
0040197d 89 c2 MOV EDX,EAX
0040197f 48 8b 45 f8 MOV RAX,qword ptr [RBP + local_10]
00401983 48 8b 40 08 MOV RAX,qword ptr [RAX + 0x8]
00401987 48 8b 48 20 MOV RCX,qword ptr [RAX + 0x20]
0040198b 48 8d 45 eb LEA RAX=>local_1d,[RBP + -0x15]
0040198f 48 89 ce MOV RSI,RCX
00401992 48 89 c7 MOV RDI,RAX
00401995 e8 c6 f6 CALL <EXTERNAL>::memcpy void * memcpy(void * __dest, voi
ff ff
0040199a 48 8d 45 eb LEA RAX=>local_1d,[RBP + -0x15]
0040199e 48 89 c6 MOV RSI,RAX
004019a1 48 8d 05 LEA RAX,[s_-_%s_00402249] = " - %s\n"
a1 08 00 00
004019a8 48 89 c7 MOV RDI=>s_-_%s_00402249,RAX = " - %s\n"
004019ab b8 00 00 MOV EAX,0x0
00 00
004019b0 e8 fb f6 CALL <EXTERNAL>::printf int printf(char * __format, ...)
ff ff
004019b5 48 8b 45 f8 MOV RAX,qword ptr [RBP + local_10]
004019b9 48 8b 00 MOV RAX,qword ptr [RAX]
004019bc 48 89 45 f8 MOV qword ptr [RBP + local_10],RAX
LAB_004019c0 XREF[1]: 004018e8(j)
004019c0 48 83 7d CMP qword ptr [RBP + local_10],0x0
f8 00
004019c5 0f 85 22 JNZ LAB_004018ed
ff ff ff
LAB_004019cb XREF[1]: 0040189d(j)
004019cb c9 LEAVE
004019cc c3 RET
These are my registers and stack. I tried to overwrite the local_10 with 0x0 so that it drops out of the loop but yet I get <cannot dereference 0> error.
local_10with zero because yourmemsets are inside the loop, wherelocal_10is expected not to beNULL. Since you are at the stage where you hijack the execution flow, you surely already know/leaked the base address of the module or an address on stack. Makelocal_10point to a readable memory with zeros (if you know the module base you can just predict the value oflocal_10).