Graphics Programs Reference
In-Depth Information
(gdb) cont
Continuing.
Breakpoint 3, check_authentication (password=0xbffff9b7 'A' <repeats 30 times>)
at auth_overflow2.c:16
16 return auth_flag;
(gdb) x/32xw $esp
0xbffff7a0:
0xbffff7c0 0x080485dc 0xbffff7b8 0x080482d9
0xbffff7b0:
0xb7f9f729 0xb7fd6ff4 0xbffff7e8 0x00000000
0xbffff7c0:
0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7d0:
0x41414141 0x41414141 0x41414141
0x08004141
0xbffff7e0:
0xbffff9b7
0x08048510 0xbffff848 0xb7eafebc
0xbffff7f0: 0x00000002 0xbffff874 0xbffff880 0xb8001898
0xbffff800: 0x00000000 0x00000001 0x00000001 0x00000000
0xbffff810: 0xb7fd6ff4 0xb8000ce0 0x00000000 0xbffff848
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x08004141 in ?? ()
(
gdb)
When some of the bytes of the saved return address are overwritten, the
program will still try to use that value to restore the execution pointer regis-
ter (EIP). This usually results in a crash, since execution is essentially jumping
to a random location. But this value doesn't need to be random. If the over-
write is controlled, execution can, in turn, be controlled to jump to a specific
location. But where should we tell it to go?
0x330
Experimenting with BASH
Since so much of hacking is rooted in exploitation and experimentation, the
ability to quickly try different things is vital. The BASH shell and Perl are
common on most machines and are all that is needed to experiment with
exploitation.
Perl
is an interpreted programming language with a
print
command that
happens to be particularly suited to generating long sequences of characters.
Perl can be used to execute instructions on the command line by using the
-e
switch like this:
reader@hacking:~/booksrc $ perl -e 'print "A" x 20;'
A
AAAAAAAAAAAAAAAAAAA
This command tells Perl to execute the commands found between the
single quotes—in this case, a single command of
print "A" x 20;
. This com-
mand prints the character
A
20 times.
Any character, such as a nonprintable character, can also be printed by
using
\x##
, where
##
is the hexadecimal value of the character. In the following
example, this notation is used to print the character
A
, which has the hexa-
decimal value of
0x41
.
