Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
sesiuni:memory:4 [2013/07/12 11:52]
rcaragea [Tools you will need]
sesiuni:memory:4 [2013/07/12 15:21] (current)
rcaragea [Hijacking control flow]
Line 124: Line 124:
  
  
-* For tasks randmin_04 ​and up: calling ​system(char *cmd) + * When you want to jump to a function that takes no arguments you only need to append its address to the exploit pattern 
-     * Because system() takes one argumentyou will have to do more than just overwrite ​the return ​address, you will need to append to your exploit pattern 4 bytes of 'JUNK' ​and 4 bytes that contain ​the address of char *cmd +      <code c> 
 +      ... 
 +      int f() 
 +      { 
 +          printf("​Hello\n"​);​ 
 +          return 42; 
 +      } 
 +      ... 
 +      </​code>​ 
 + * If the address of the function is 0x0804849c your exploit pattern will look like "​AAAAAA...AAA\x9c\x84\x04\x08"​ because calling this function will look like 
 +      <code asm> 
 +      ... 
 +      call   ​804849c <f> 
 +      ... 
 +      </​code>​ 
 +* For tasks randmin_03 ​and up you will need to call system(char *cmd) 
 +      <​code c> 
 +      ... 
 +      int f(char *str) 
 +      { 
 +          printf("​%s\n"​str); 
 +          return 42; 
 +      } 
 +      ... 
 +      </​code>​ 
 +*  Translated ​to asm: 
 +      <code asm> 
 +      ... 
 +      movl   ​$0x80485a0,​(%esp) ​     (0x80485a0 is the address of the string parameter) 
 +      call   ​804849c <​f> ​            
 +      ... 
 +      </​code>​ 
 +* Because ​'call' ​also pushes ​4 bytes on the stack the parameter is offset by exactly 4 bytes, so if you want to call f with the address of that string your exploit should look like "​AAAAAA...AAA\x9c\x84\x04\x08ABCD\xa0\x85\x04\x08"​ where ABCD is the 4 byte value mentioned (any value will work)
  
 == Tools you will need == == Tools you will need ==
sesiuni/memory/4.txt · Last modified: 2013/07/12 15:21 by rcaragea