EXPLOITATION - Hacking: The Art of Exploitation

Graphics Programs Reference

In-Depth Information

0xbffff7d0: 0xb7ff47b0 0x08048510 0xbffff7e8 0x080484bb

0xbffff7e0: 0xbffff9b7 0x08048510 0xbffff848 0xb7eafebc

0xbffff7f0: 0x00000002 0xbffff874 0xbffff880 0xb8001898

0xbffff800: 0x00000000 0x00000001 0x00000001 0x00000000

0xbffff810: 0xb7fd6ff4 0xb8000ce0 0x00000000 0xbffff848

(gdb) x/32xb 0xbffff9b7

0xbffff9b7: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff9bf: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff9c7: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff9cf: 0x41 0x41 0x41 0x41 0x41 0x41 0x00 0x53

(gdb) x/s 0xbffff9b7

0xbffff9b7: 'A' <repeats 30 times>

(gdb)

The return address in a stack frame can be located by understanding

how the stack frame is created. This process begins in the main() function,

even before the function call.

(gdb) disass main

Dump of assembler code for function main:

0x08048474 <main+0>: push ebp

0x08048475 <main+1>: mov ebp,esp

0x08048477 <main+3>: sub esp,0x8

0x0804847a <main+6>: and esp,0xfffffff0

0x0804847d <main+9>: mov eax,0x0

0x08048482 <main+14>: sub esp,eax

0x08048484 <main+16>: cmp DWORD PTR [ebp+8],0x1

0x08048488 <main+20>: jg 0x80484ab <main+55>

0x0804848a <main+22>: mov eax,DWORD PTR [ebp+12]

0x0804848d <main+25>: mov eax,DWORD PTR [eax]

0x0804848f <main+27>: mov DWORD PTR [esp+4],eax

0x08048493 <main+31>: mov DWORD PTR [esp],0x80485e5

0x0804849a <main+38>: call 0x804831c <printf@plt>

0x0804849f <main+43>: mov DWORD PTR [esp],0x0

0x080484a6 <main+50>: call 0x804833c <exit@plt>

0x080484ab <main+55>: mov eax,DWORD PTR [ebp+12]

0x080484ae <main+58>: add eax,0x4

0x080484b1 <main+61>: mov eax,DWORD PTR [eax]

0x080484b3 <main+63>: mov DWORD PTR [esp],eax

0x080484b6 <main+66>: call 0x8048414 <check_authentication>

0x080484bb <main+71>: test eax,eax

0x080484bd <main+73>: je 0x80484e5 <main+113>

0x080484bf <main+75>: mov DWORD PTR [esp],0x80485fb

0x080484c6 <main+82>: call 0x804831c <printf@plt>

0x080484cb <main+87>: mov DWORD PTR [esp],0x8048619

0x080484d2 <main+94>: call 0x804831c <printf@plt>

0x080484d7 <main+99>: mov DWORD PTR [esp],0x8048630

0x080484de <main+106>: call 0x804831c <printf@plt>

0x080484e3 <main+111>: jmp 0x80484f1 <main+125>

0x080484e5 <main+113>: mov DWORD PTR [esp],0x804864d

0x080484ec <main+120>: call 0x804831c <printf@plt>

0x080484f1 <main+125>: leave

0x080484f2 <main+126>: ret

End of assembler dump.

( gdb)

Hacking: The Art of Exploitation

Search WWH ::

Custom Search

Home