Databases
StackOverflow2013
Postsdbo
POachieve stack smashing with executable file
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POachieve stack smashing with executable file
    text
    copied!<p>I try to achieve stack smashing when I have only the executable file . I use the objdump to get the assembly code for this source code : </p> <pre><code>#include&lt;stdio.h&gt; #include&lt;string.h&gt; void func(char *str) { char buffer[24]; int *ret; strcpy(buffer,str); } int main(int argc, char **argv) { int x; x = 0; func(argv[1]); x = 1; printf("%d\n”,x); } </code></pre> <p>at run time ./a,out (value)....I need to insert the (value ) in such away I insert the NOP in stack location and that last part of (value) is the address of my next instruction. I have 40 byte before reaching the location that contain the return address of the fun() .</p> <pre><code>08048444 &lt;func&gt;: 8048444: 55 push %ebp 8048445: 89 e5 mov %esp,%ebp 8048447: 83 ec 48 sub $0x48,%esp 804844a: 8b 45 08 mov 0x8(%ebp),%eax 804844d: 89 45 d4 mov %eax,-0x2c(%ebp) 8048450: 65 a1 14 00 00 00 mov %gs:0x14,%eax 8048456: 89 45 f4 mov %eax,-0xc(%ebp) 8048459: 31 c0 xor %eax,%eax 804845b: 8b 45 d4 mov -0x2c(%ebp),%eax 804845e: 89 44 24 04 mov %eax,0x4(%esp) 8048462: 8d 45 dc lea -0x24(%ebp),%eax 8048465: 89 04 24 mov %eax,(%esp) 8048468: e8 eb fe ff ff call 8048358 &lt;strcpy@plt&gt; 804846d: 8b 45 f4 mov -0xc(%ebp),%eax 8048470: 65 33 05 14 00 00 00 xor %gs:0x14,%eax 8048477: 74 05 je 804847e &lt;func+0x3a&gt; 8048479: e8 fa fe ff ff call 8048378 &lt;__stack_chk_fail@plt&gt; 804847e: c9 leave 804847f: c3 ret 08048480 &lt;main&gt;: 8048480: 55 push %ebp 8048481: 89 e5 mov %esp,%ebp 8048483: 83 e4 f0 and $0xfffffff0,%esp 8048486: 83 ec 20 sub $0x20,%esp 8048489: c7 44 24 1c 00 00 00 movl $0x0,0x1c(%esp) 8048490: 00 8048491: 8b 45 0c mov 0xc(%ebp),%eax 8048494: 83 c0 04 add $0x4,%eax 8048497: 8b 00 mov (%eax),%eax 8048499: 89 04 24 mov %eax,(%esp) 804849c: e8 a3 ff ff ff call 8048444 &lt;func&gt; 80484a1: c7 44 24 1c 01 00 00 movl $0x1,0x1c(%esp) 80484a8: 00 80484a9: b8 90 85 04 08 mov $0x8048590,%eax 80484ae: 8b 54 24 1c mov 0x1c(%esp),%edx 80484b2: 89 54 24 04 mov %edx,0x4(%esp) 80484b6: 89 04 24 mov %eax,(%esp) 80484b9: e8 aa fe ff ff call 8048368 &lt;printf@plt&gt; 80484be: b8 00 00 00 00 mov $0x0,%eax 80484c3: c9 leave 80484c4: c3 ret 80484c5: 90 nop 80484c6: 90 nop </code></pre> <p>problem if I insert 00 its consider as (31) ASCII .How I can insert hex values.</p> <p>... I hope the Que is clear </p> <p>objdump -w -Mintel :</p> <pre><code>08048444 &lt;func&gt;: 8048444: 55 push ebp 8048445: 89 e5 mov ebp,esp 8048447: 83 ec 48 sub esp,0x48 804844a: 8b 45 08 mov eax,DWORD PTR [ebp+0x8] 804844d: 89 45 d4 mov DWORD PTR [ebp-0x2c],eax 8048450: 65 a1 14 00 00 00 mov eax,gs:0x14 8048456: 89 45 f4 mov DWORD PTR [ebp-0xc],eax 8048459: 31 c0 xor eax,eax 804845b: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c] 804845e: 89 44 24 04 mov DWORD PTR [esp+0x4],eax 8048462: 8d 45 dc lea eax,[ebp-0x24] 8048465: 89 04 24 mov DWORD PTR [esp],eax 8048468: e8 eb fe ff ff call 8048358 &lt;strcpy@plt&gt; 804846d: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc] 8048470: 65 33 05 14 00 00 00 xor eax,DWORD PTR gs:0x14 8048477: 74 05 je 804847e &lt;func+0x3a&gt; 8048479: e8 fa fe ff ff call 8048378 &lt;__stack_chk_fail@plt&gt; 804847e: c9 leave 804847f: c3 ret 08048480 &lt;main&gt;: 8048480: 55 push ebp 8048481: 89 e5 mov ebp,esp 8048483: 83 e4 f0 and esp,0xfffffff0 8048486: 83 ec 20 sub esp,0x20 8048489: c7 44 24 1c 00 00 00 00 mov DWORD PTR [esp+0x1c],0x0 8048491: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] 8048494: 83 c0 04 add eax,0x4 8048497: 8b 00 mov eax,DWORD PTR [eax] 8048499: 89 04 24 mov DWORD PTR [esp],eax 804849c: e8 a3 ff ff ff call 8048444 &lt;func&gt; 80484a1: c7 44 24 1c 01 00 00 00 mov DWORD PTR [esp+0x1c],0x1 80484a9: b8 90 85 04 08 mov eax,0x8048590 80484ae: 8b 54 24 1c mov edx,DWORD PTR [esp+0x1c] 80484b2: 89 54 24 04 mov DWORD PTR [esp+0x4],edx 80484b6: 89 04 24 mov DWORD PTR [esp],eax 80484b9: e8 aa fe ff ff call 8048368 &lt;printf@plt&gt; 80484be: b8 00 00 00 00 mov eax,0x0` </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload