Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Controling the eip

from [Carl Livitt] Network Security [Permanent Link]
Subject: Re: Controling the eip
Date: Tue, 15 May 2007 17:01:06 +0100 
You'll need to share the source of the vulnerable code as well as the
code you already provided. I believe your code should look something
more like this, too:

#include <stdio.h>

main()
{
    int i=0;
    char stuffing[45]; // one more char allows you to null-terminate
    for (i=0; i<44; i+=4) // <= causes overflow, you need to use <
        *(long *) &stuffing[i] = 0x08048405;
    stuffing[44]='\0'; // remember to null-terminate
    puts(stuffing);
}



You'll notice that Cheers,
Carl

wymerzp@sbu.edu wrote:

I am trying to learn about computer security. I picked up the book 
Shellcoder's Handbook (ISBN: 0-7645-4468-3)dump-perfect. When I inspect the 
stack with gdb it over-writes the eip with 0x41414141. 
I then look at the buffer size of the function as well as the address of said 
function (the purpose being to overflow the buffer, control eip to make the 
function iterate again) and the buffer size is 0x24 (36) and the address is 
0x08048405.
I then write a program to translate the hex into ASCII cleanly to insert into 
the buffer:

#include <stdio.h>

main()
{
    int i=0;
    char stuffing[44];
    for (i=0; i<=44; i+=4)
    {
      *(long *) &stuffing[i] = 0x08048405;
      puts(stuffing);
    }
}

I then run the program and input the address as ASCII into the buffer as 
follows: 
bash# (./addresstochar;cat) | ./overflow
which doesn't make the program iterate twice and doesn't change eip on 
inspection of the stack. What am I doing wrong here? I tried to be as 
thorough as possible; please forgive my verbosity. Thanks, Zach


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Does Backtrack set a swapfile by default?, Ian van Marwijk
Next by Date:  Re: Re: Controling the eip, wymerzp
Previous by Thread:  Controling the eip, wymerzp
Next by Thread:  Re: Re: Controling the eip, wymerzp
Indexes:  [Date] [Thread] [Top] [All Lists]