Databases
StackOverflow2013
Postsdbo
POUsing buffer overflow to execute shell code
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POUsing buffer overflow to execute shell code
    text
    copied!<p>I've been learning computer security lately and come across a couple problems, and i'm having some trouble with this one in particular. </p> <p>I'm given a function with a fixed buffer I need to overflow in order to execute shellcode in the file <em>shellcode</em>. The function is quite simple:</p> <pre><code>void vuln(char *str) { char buf[64]; strcpy(buf, str); //function provided to display stack on command prompt dump_stack((void **) buf, 21, (void **) &amp;str); } </code></pre> <p>My initial guess was to modify the return address, the <em>eip</em>, of the function in order to locate and execute what is in the shellcode file, but i realized I have no address to the file I can represent in a hexadecimal value. I am <strong>pretty sure</strong> I need to manipulate the return address, so currently what i'm calling is:</p> <pre><code>//the string is passed as a command line arg ./buffer_overflow_shellcode $(python -c "print 'A'*72 + '\x41\xd6\xff\xff' ") </code></pre> <p>my output is:</p> <pre><code>Stack dump: 0xffffd600: 0xffffd7fd (first argument) 0xffffd5fc: 0x08048653 (saved eip) 0xffffd5f8: 0xffffd641 (saved ebp) 0xffffd5f4: 0x41414141 0xffffd5f0: 0x41414141 0xffffd5ec: 0x41414141 0xffffd5e8: 0x41414141 0xffffd5e4: 0x41414141 0xffffd5e0: 0x41414141 0xffffd5dc: 0x41414141 0xffffd5d8: 0x41414141 0xffffd5d4: 0x41414141 0xffffd5d0: 0x41414141 0xffffd5cc: 0x41414141 0xffffd5c8: 0x41414141 0xffffd5c4: 0x41414141 0xffffd5c0: 0x41414141 0xffffd5bc: 0x41414141 0xffffd5b8: 0x41414141 0xffffd5b4: 0x41414141 0xffffd5b0: 0x41414141 (beginning of buffer) Segmentation fault </code></pre> <p>the python script simply prints 72 letter A's to overflow the buffer to the point of the <em>edp</em> and <em>eip</em>, after I replace the edp's address with the additional address and arrive at the return address, ready to manipulate it. Any help is really appreciated, thanks!</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload