Security Basics mailing list archives
RE: wargame issue
From: <ankush.kapoor () wipro com>
Date: Fri, 14 Oct 2005 09:05:31 +0530
Hope this isn't too late to post!! Similar thing came up on this on another list recently. The reason is that when Aleph wrote the tutorial, sizeof int was 2. But nowadays its generally 4. That's why you get these shifts in addresses (keep this in mind when calculating offsets to overflow) Hope this helps. Ankush PS: A little bit of a spoiler here... Have been thru quite a few rounds on hackerslab... One of the programs by Aleph to create the eggshell work on this level, just look at the code closely and give it the correct arguments! ;) Enuf said! -----Original Message----- From: haad [mailto:haaaad () gmail com] Sent: Thursday, September 15, 2005 5:40 AM To: Q nix; security-basics () securityfocus com Subject: Re: wargame issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Q nix wrote:
----- Original Message ----- From: haad <haaaad () gmail com> To: security-basics () securityfocus com Subject: wargame issue Date: Tue, 13 Sep 2005 10:25:20 +0200 I 'm playing one wargame in www.hackerslab.org but I have problem with level in which i need to exploit bound checking. How can I exploit this.Some theory will be useful or some links to exploiting technics too;) I know that this application doesn't check input string , with long string I able to SEg fault this application. Cheers
Send me the sourcecode if you have it ... and i´ll help you with it !!
Qnix - Qnix () bsdmail org
regards,
So I have started studding in this level. I have found old article made by Aleph one on phrack ,but i have problem with understand it or better with testing it in real world . Aleph said : example1.c: - ------------------------------------------------------------------------------ void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { function(1,2,3); } - ------------------------------------------------------------------------------ To understand what the program does to call function() we compile it with gcc using the -S switch to generate assembly code output: $ gcc -S -o example1.s example1.c By looking at the assembly language output we see that the call to function() is translated to: pushl $3 pushl $2 pushl $1 call function This pushes the 3 arguments to function backwards into the stack, and calls function(). The instruction 'call' will push the instruction pointer (IP) onto the stack. We'll call the saved IP the return address (RET). The first thing done in function is the procedure prolog: pushl %ebp movl %esp,%ebp subl $20,%esp This pushes EBP, the frame pointer, onto the stack. It then copies the current SP onto EBP, making it the new FP pointer. We'll call the saved FP pointer SFP. It then allocates space for the local variables by subtracting their size from SP. We must remember that memory can only be addressed in multiples of the word size. A word in our case is 4 bytes, or 32 bits. So our 5 byte buffer is really going to take 8 bytes (2 words) of memory, and our 10 byte buffer is going to take 12 bytes (3 words) of memory. That is why SP is being subtracted by 20. I try to compile this code an view assembly source but i see thi in my function prolog pushl %ebp movl %esp, %ebp subl $40, %esp i have my stack subtracted by 40. Why ??? I don't understand . I make some tests and i think because of new gcc but i am not sure . :) can you help with this?? Cheers Adam - -- Linux is for people who hate windows NetBSD is for people who love UNIX. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (NetBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDKLvF9Wt2FT7y228RArbHAKCr/5U3Ag0X+Xrtta5/GqPVMUZ9cgCgsSkA guVr4+PFjXhN7JawU5Obyh8= =Jnk4 -----END PGP SIGNATURE----- Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or Mailadmin () wipro com immediately and destroy all copies of this message and any attachments.
Current thread:
- RE: wargame issue ankush.kapoor (Oct 14)