+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Network Hacking (https://sinister.ly/Forum-Network-Hacking)
+--- Thread: Format String Exploitation Question (/Thread-Format-String-Exploitation-Question)
Pages:
1
2
Format String Exploitation Question - Alan Turing - 03-01-2014
So, I came across a challenge, that was FSE.
It was already compiled, and I couldn't see the source code(Opened with Gedit, nothing in there) but it did work.
So I saw the solution and was just confused
so, I got the return address
[volplus@root]~#./cocks %x
<insert return address here>
[volplus@root]~# $'AAAAAAAAAAAAAAAAAAAAAAAAA\x\x\x\x\x\x\x <--- the return address backwards
so zxcv
became
cvzx
My questions are:
1) Why the 25 As? To fill the buffer or something? How do we know 25 was enough
2) Why the return address backwards? What does that accomplish instead of going forwards?
RE: Format String Exploitation Question - w00t - 03-01-2014
Yes, the 25 As were to fill the stack. You can tell how much you need to fill by looking at the disassembly of that function, and seeing how much space is allocated on the stack.
The address is backwards because most processors are little-endian, meaning the least significant byte goes first. So, 0xdeadbeef becomes \xef\xbe\xad\xde
RE: Format String Exploitation Question - Alan Turing - 03-01-2014
(03-01-2014, 10:10 PM)w00t Wrote: Yes, the 25 As were to fill the stack. You can tell how much you need to fill by looking at the disassembly of that function, and seeing how much space is allocated on the stack.
The address is backwards because most processors are little-endian, meaning the least significant byte goes first. So, 0xdeadbeef becomes \xef\xbe\xad\xde
I had a feeling you'd be the first to help, thanks a lot w00t!
So, when I disassemble, where do I look to find out how much I need to fill the stack?
RE: Format String Exploitation Question - w00t - 03-01-2014
In the function prologue, you should see, around the 4th instruction, sub esp, 0x19( or slightly larger, if the function preserves registers ).
RE: Format String Exploitation Question - Alan Turing - 03-02-2014
(03-01-2014, 11:55 PM)w00t Wrote: In the function prologue, you should see, around the 4th instruction, sub esp, 0x19( or slightly larger, if the function preserves registers ).
i disassembled the function, and I saw <25+> near the return addresses, is that okay?
RE: Format String Exploitation Question - w00t - 03-02-2014
Meaning the disassembler you used put ret< +25 >? Different disassemblers will do different things, but you can always find the stack size by looking for the subtraction.
RE: Format String Exploitation Question - Alan Turing - 03-02-2014
(03-02-2014, 01:28 AM)w00t Wrote: Meaning the disassembler you used put ret< +25 >? Different disassemblers will do different things, but you can always find the stack size by looking for the subtraction.
PHP Code:
0x080484b4 <+0>: push %ebp
0x080484b5 <+1>: mov %esp,%ebp
0x080484b7 <+3>: sub $0x4,%esp
0x080484ba <+6>: movl $0x8048620,(%esp)
0x080484c1 <+13>: call 0x80483dc <puts@plt>
0x080484c6 <+18>: movl $0x0,(%esp)
0x080484cd <+25>: call 0x80483ec <exit@plt>
0x08048cd <+25>: call 0x080483ec <exit@plt>
That's disassembling the function.
RE: Format String Exploitation Question - w00t - 03-02-2014
No, that's the offset from the beginning of the function, in bytes. Not the same thing.
RE: Format String Exploitation Question - Alan Turing - 03-02-2014
(03-02-2014, 01:32 AM)w00t Wrote: No, that's the offset from the beginning of the function, in bytes. Not the same thing.
The above is the full output, using gdb.
That's the entire function output, so where am I looking to find out how much I need to fill the stack?
RE: Format String Exploitation Question - w00t - 03-02-2014
PM me( or post here ) with a link to the executable.