Security Basics mailing list archives
[Fwd: Re: wargame issue]
From: haad <haaaad () gmail com>
Date: Tue, 20 Sep 2005 11:43:18 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------- Original Message -------- Subject: Re: wargame issue Date: Thu, 15 Sep 2005 02:09:41 +0200 From: haad <haaaad () gmail com> To: Q nix <qnix () bsdmail org>, security-basics () securityfocus com References: <20050913175416.C1A617B49F () ws5-10 us4 outblaze com> Q nix wrote:
----- Original Message ----- From: haad <haaaad () gmail com> To: security-basics () securityfocus com Subject: wargame issue Date: Tue, 13 Sep 2005 10:25:20 +0200 I 'm playing one wargame in www.hackerslab.org but I have problem with level in which i need to exploit bound checking. How can I exploit this.Some theory will be useful or some links to exploiting technics too;) I know that this application doesn't check input string , with long string I able to SEg fault this application. Cheers
Send me the sourcecode if you have it ... and i´ll help you with it !!
Qnix - Qnix () bsdmail org
regards,
So I have started studding in this level. I have found old article made by Aleph one on phrack ,but i have problem with understand it or better with testing it in real world . Aleph said : example1.c: - - - ------------------------------------------------------------------------------ void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { function(1,2,3); } - - - ------------------------------------------------------------------------------ To understand what the program does to call function() we compile it with gcc using the -S switch to generate assembly code output: $ gcc -S -o example1.s example1.c By looking at the assembly language output we see that the call to function() is translated to: pushl $3 pushl $2 pushl $1 call function This pushes the 3 arguments to function backwards into the stack, and calls function(). The instruction 'call' will push the instruction pointer (IP) onto the stack. We'll call the saved IP the return address (RET). The first thing done in function is the procedure prolog: pushl %ebp movl %esp,%ebp subl $20,%esp This pushes EBP, the frame pointer, onto the stack. It then copies the current SP onto EBP, making it the new FP pointer. We'll call the saved FP pointer SFP. It then allocates space for the local variables by subtracting their size from SP. We must remember that memory can only be addressed in multiples of the word size. A word in our case is 4 bytes, or 32 bits. So our 5 byte buffer is really going to take 8 bytes (2 words) of memory, and our 10 byte buffer is going to take 12 bytes (3 words) of memory. That is why SP is being subtracted by 20. I try to compile this code an view assembly source but i see thi in my function prolog pushl %ebp movl %esp, %ebp subl $40, %esp i have my stack subtracted by 40. Why ??? I don't understand . I make some tests and i think because of new gcc but i am not sure . :) can you help with this?? Cheers Adam - -- Linux is for people who hate windows NetBSD is for people who love UNIX. - -- Linux is for people who hate windows NetBSD is for people who love UNIX. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (NetBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDL9m19Wt2FT7y228RApx1AJ99O9ADSIYilh6Zv+T73wI93kJMBwCfT+1Y nqhaHownaW4M+DxpfQJzXYM= =p1P1 -----END PGP SIGNATURE-----
Current thread:
- [Fwd: Re: wargame issue] haad (Sep 20)
- Re: [Fwd: Re: wargame issue] Joe Barrett (Sep 22)
- <Possible follow-ups>
- Re: [Fwd: Re: wargame issue] mhal70 (Sep 22)