Pagini
Workshops
Organizatori
Parteneri
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
sesiuni:memory:4 [2013/07/12 00:52] rcaragea [Hijacking control flow] |
sesiuni:memory:4 [2013/07/12 15:21] (current) rcaragea [Hijacking control flow] |
||
|---|---|---|---|
| Line 124: | Line 124: | ||
| - | * For tasks randmin_04 and up: calling system(char *cmd) | + | * When you want to jump to a function that takes no arguments you only need to append its address to the exploit pattern |
| - | * Because system() takes one argument, you will have to do more than just overwrite the return address, you will need to append to your exploit pattern 4 bytes of 'JUNK' and 4 bytes that contain the address of char *cmd | + | <code c> |
| + | ... | ||
| + | int f() | ||
| + | { | ||
| + | printf("Hello\n"); | ||
| + | return 42; | ||
| + | } | ||
| + | ... | ||
| + | </code> | ||
| + | * If the address of the function is 0x0804849c your exploit pattern will look like "AAAAAA...AAA\x9c\x84\x04\x08" because calling this function will look like | ||
| + | <code asm> | ||
| + | ... | ||
| + | call 804849c <f> | ||
| + | ... | ||
| + | </code> | ||
| + | * For tasks randmin_03 and up you will need to call system(char *cmd) | ||
| + | <code c> | ||
| + | ... | ||
| + | int f(char *str) | ||
| + | { | ||
| + | printf("%s\n", str); | ||
| + | return 42; | ||
| + | } | ||
| + | ... | ||
| + | </code> | ||
| + | * Translated to asm: | ||
| + | <code asm> | ||
| + | ... | ||
| + | movl $0x80485a0,(%esp) (0x80485a0 is the address of the string parameter) | ||
| + | call 804849c <f> | ||
| + | ... | ||
| + | </code> | ||
| + | * Because 'call' also pushes 4 bytes on the stack the parameter is offset by exactly 4 bytes, so if you want to call f with the address of that string your exploit should look like "AAAAAA...AAA\x9c\x84\x04\x08ABCD\xa0\x85\x04\x08" where ABCD is the 4 byte value mentioned (any value will work) | ||
| == Tools you will need == | == Tools you will need == | ||
| Line 135: | Line 166: | ||
| * ulimit | * ulimit | ||
| * checksec.sh [[http://www.trapkit.de/tools/checksec.sh]] | * checksec.sh [[http://www.trapkit.de/tools/checksec.sh]] | ||
| - | * aslr_brute_helper.py [[http://swarm.cs.pub.ro/~rcaragea/aslr_brute_helper.py]] | + | * <del> aslr_brute_helper.py [[http://swarm.cs.pub.ro/~rcaragea/aslr_brute_helper.py]] </del> |