Re: Assembler/C References

[John Scimone <sert () snosoft com>]

the trick is to use the 256 bytes of buffer space to store your code, you must 
know the memory area that is around the beginning of it, fill the beginning 
with nothing, then put your code, then at the end put your memory address 
that will overwrite the eip (instruction pointer), the pc will then execute 
the code will then go to where the eip points after the buffer is overflowed 
which will be the area where your buffer began which will then hit your 
shellcode to be executed. hope this helped some.
-sert


On Tuesday 16 July 2002 07:14 pm, Jeremy Junginger wrote:
> Hey guys,
> Thanks for all of the great feedback about assembler and c.  I was
> playing with the code at:
> http://community.core-sdi.com/~gera/InsecureProgramming/abo1.html
> (Thanks for the link, Claes)
> And if it is run, it produces a segmentation fault.  After running gdb
> against the program, I obtain the following data:
>
> [rewt@n00bB0x]# gdb abo1
>
> Copyright 2001 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "i386-redhat-linux"...
> (gdb) disass main
> Dump of assembler code for function main:
> 0x8048460 <main>:       push   %ebp
> 0x8048461 <main+1>:     mov    %esp,%ebp
> 0x8048463 <main+3>:     sub    $0x108,%esp
> 0x8048469 <main+9>:     sub    $0x8,%esp
> 0x804846c <main+12>:    mov    0xc(%ebp),%eax
> 0x804846f <main+15>:    add    $0x4,%eax
> 0x8048472 <main+18>:    pushl  (%eax)
> 0x8048474 <main+20>:    lea    0xfffffef8(%ebp),%eax
> 0x804847a <main+26>:    push   %eax
> 0x804847b <main+27>:    call   0x804834c <strcpy>
> 0x8048480 <main+32>:    add    $0x10,%esp
> 0x8048483 <main+35>:    leave
> 0x8048484 <main+36>:    ret
> 0x8048485 <main+37>:    lea    0x0(%esi),%esi
> 0x8048488 <main+40>:    nop
> 0x8048489 <main+41>:    nop
> 0x804848a <main+42>:    nop
> 0x804848b <main+43>:    nop
> 0x804848c <main+44>:    nop
> 0x804848d <main+45>:    nop
> 0x804848e <main+46>:    nop
> 0x804848f <main+47>:    nop
> End of assembler dump.
> (gdb) quit
>
> [rewt@n00bB0x]#
>
> I guess I don't really know where to go from here.  I see that the
> buffer has space form 256 bytes.  Okay, so I run ./abo1 AAAAAAAA(256
> times) and it runs okay, then when I run ./abo1 with AAAA(more than
> 256X) it returns with a segmentation fault.  The part I'm not
> understanding is, after I've overflowed the buffer, how do I know where
> the next bytes will be stored?  Will they be stored at the next memory
> address (in this case 0x8048480)?  Once you know where they are stored,
> how can you append your code, do you just do a
> AAAAAA(howevermanytimesyouneedit) and then append your code to the end
> of it?
>
> Thanks for fielding these beginner questions.  They're embarrassing to
> ask, but everyone's gotta start somewhere.
>
> -Jeremy
>
>
> -----Original Message-----
> From: Kim Reece [mailto:sorel () ugcs caltech edu]
> Sent: Monday, July 15, 2002 4:53 PM
> To: Knud Erik Højgaard
> Cc: Jeremy Junginger; vuln-dev () securityfocus com
> Subject: Re: Assembler/C References
>
>
>
> "art of assembly"  - i forget the author name, but it's a very good book
> and a simple google search will turn it up
>
> plus just about any 'advanced' c book, i.e. one that doesn't assume you
> are incapable of understanding an if statement and need kindergarden
> style graphics to not get bored.
>
>
> --sorel