Pagini
Workshops
Parteneri
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
sesiuni:memory:4 [2013/07/12 00:52] rcaragea [Hijacking control flow] |
sesiuni:memory:4 [2013/07/12 15:21] (current) rcaragea [Hijacking control flow] |
||
---|---|---|---|
Line 124: | Line 124: | ||
- | * For tasks randmin_04 and up: calling system(char *cmd) | + | * When you want to jump to a function that takes no arguments you only need to append its address to the exploit pattern |
- | * Because system() takes one argument, you will have to do more than just overwrite the return address, you will need to append to your exploit pattern 4 bytes of 'JUNK' and 4 bytes that contain the address of char *cmd | + | <code c> |
+ | ... | ||
+ | int f() | ||
+ | { | ||
+ | printf("Hello\n"); | ||
+ | return 42; | ||
+ | } | ||
+ | ... | ||
+ | </code> | ||
+ | * If the address of the function is 0x0804849c your exploit pattern will look like "AAAAAA...AAA\x9c\x84\x04\x08" because calling this function will look like | ||
+ | <code asm> | ||
+ | ... | ||
+ | call 804849c <f> | ||
+ | ... | ||
+ | </code> | ||
+ | * For tasks randmin_03 and up you will need to call system(char *cmd) | ||
+ | <code c> | ||
+ | ... | ||
+ | int f(char *str) | ||
+ | { | ||
+ | printf("%s\n", str); | ||
+ | return 42; | ||
+ | } | ||
+ | ... | ||
+ | </code> | ||
+ | * Translated to asm: | ||
+ | <code asm> | ||
+ | ... | ||
+ | movl $0x80485a0,(%esp) (0x80485a0 is the address of the string parameter) | ||
+ | call 804849c <f> | ||
+ | ... | ||
+ | </code> | ||
+ | * Because 'call' also pushes 4 bytes on the stack the parameter is offset by exactly 4 bytes, so if you want to call f with the address of that string your exploit should look like "AAAAAA...AAA\x9c\x84\x04\x08ABCD\xa0\x85\x04\x08" where ABCD is the 4 byte value mentioned (any value will work) | ||
== Tools you will need == | == Tools you will need == | ||
Line 135: | Line 166: | ||
* ulimit | * ulimit | ||
* checksec.sh [[http://www.trapkit.de/tools/checksec.sh]] | * checksec.sh [[http://www.trapkit.de/tools/checksec.sh]] | ||
- | * aslr_brute_helper.py [[http://swarm.cs.pub.ro/~rcaragea/aslr_brute_helper.py]] | + | * <del> aslr_brute_helper.py [[http://swarm.cs.pub.ro/~rcaragea/aslr_brute_helper.py]] </del> |