cpowel2
asked on
Buffer bomb nitro
I am working on a buffer bomb project for school and the last phase is called nitro. The other phases made it so that the stack always started at the same position so that if I overwrite %ebp for example I could just use gdb to look up what it should be and replace it with my exploit code as a literal value. However in the last phase the stack does not always start in the same position. However I figured out how I can work this into my exploit code instead of using a literal value for restoring the contents of %ebp(which should when where all said and done contain the address of the beginning of the previous stack frame) I just incorporate a memory address calculation in with my exploit code in order to figure out where the previous stack frames %ebp(address) is at so I can restore it into the contents of the current %ebp so that when I return from the function it doesn't segfault. The problem is that for some reason I am not doing the assembly portion right because it keeps segfaulting. My assembly code for calculating where the previous frames stack pointer should be is as follows
leal 0x20(%ebp) , %ecx
movl %ecx, (%ebp)
What I think this code accomplishes is
1.) add 0x20 to the current address of %ebp maybe this syntax is wrong maybe its taking what is in %ebp and adding 0x20 not the address of %ebp itself although my book says that is not how lea works
2.) moving the calculated value from step 1 into the contents of %ebp
I know for a fact that adding 0x20 to the memory address of %ebp gives me the desired address that I need because if I hard code that value it works fine but I don't know why my assembly is wrong could someone please help me
If you guys need the actual code I can post it
leal 0x20(%ebp) , %ecx
movl %ecx, (%ebp)
What I think this code accomplishes is
1.) add 0x20 to the current address of %ebp maybe this syntax is wrong maybe its taking what is in %ebp and adding 0x20 not the address of %ebp itself although my book says that is not how lea works
2.) moving the calculated value from step 1 into the contents of %ebp
I know for a fact that adding 0x20 to the memory address of %ebp gives me the desired address that I need because if I hard code that value it works fine but I don't know why my assembly is wrong could someone please help me
If you guys need the actual code I can post it
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.