stack - Overflow attack to call function -

-

i have assignment school (i not ask question give me answer assignment)

we have been given following code in c:

#include <stdio.h> #include <stdlib.h>  int main( int argc, char **argv ) { char * stuff = 0; int len = 0;  vulnerable(); return 0; }  int vulnerable( void ) { char buf[100];  printf("please enter hacker name: "); fflush(stdout); gets(buf); printf("\"%s\"\n can hack this?" , buf ); }  void notcalled( void ) { char *secret = "iouf jmmb, cbsb sftufo lwbs!"; int i;  printf("the secret string is: "); for( = 0 ; secret[i] ; i++ )     if( secret[i] >= 'a' && secret[i] <= 'z' )         printf("%c" , secret[i] -1 );     else         printf("%c" , secret[i] ); printf("\n"); }

i have compiled program using command:

gcc -fno-stack-protector -z execstack -o oflow oflow.c

i want know if "right on track".

the first thing did find function "notcalled()" address, after have been looking @ stack while running gdb , trying figure out put address.

i have been using following perl script overflow program:

perl -e 'print "a"x312 ."\xb0\x85\x04\x08"' | ./oflow

(note value 312 example)

my question is: how can find out place address in stack , how calculate how many bytes have fill overflow. (i don't want answer, want hints , tips solve problem)

thanks in advance!

to give exact answer need provide disassembly of vulnerable method since it's going vary depending upon hardware you're running on.

a function call typically consists of this:

1 push arguments on stack. 2 call method. 3 clean stack.

the call operation combination of 2 instructions:

2.1 push address of line 3 onto stack.  2.2 jump address of method being called.

the method being called typically consists of this:

4 create stack frame method (something below)      push bp      mov sp, bp 5 create space local variables on stack      sub 0x64, sp 6 stuff.... 7 clean stack frame.      mov bp, sp      pop bp 8 return method.      ret

figuring out put address on stack

the ret instruction pops address pushed when method called, instruction pointer. goal change address instead of pointer pushed @ line 3 pointing @ notcalled method. so, need address onto stack past outside methods stack frame.

figuring out how trigger overflow

as know, vulnerable part of method call it's call gets. takes input stdin , keeps collecting input until gets end of line. since doesn't take in buffer size, means possible pass more characters gets buffer pointing @ can hold hence can trigger buffer overflow.

figuring out how many bytes needed overflow

as i've said above, trigger overflow on filling buffer. so, size of input going function of (buffer size) + (possibly other local variables) + (the stack frame). can either work out looking @ disassembly, or through little bit of trial , error see how filling buffer , overflowing through stack.


Comments

Post a Comment

Popular posts from this blog

java - Oracle EBS .ClassNotFoundException: oracle.apps.fnd.formsClient.FormsLauncher.class ERROR -

-
i need in configuring java on machine because, when try loading forms, loader goes in circles , gives error: java.lang.classnotfoundexception: oracle.apps.fnd.formsclient.formslauncher.class @ sun.plugin2.applet.applet2classloader.findclass(unknown source) @ sun.plugin2.applet.plugin2classloader.loadclass0(unknown source) @ sun.plugin2.applet.plugin2classloader.loadclass(unknown source) @ sun.plugin2.applet.plugin2classloader.loadclass(unknown source) @ java.lang.classloader.loadclass(unknown source) @ sun.plugin2.applet.plugin2classloader.loadcode(unknown source) @ sun.plugin2.applet.plugin2manager.createapplet(unknown source) @ sun.plugin2.applet.plugin2manager$appletexecutionrunnable.run (unknown source) @ java.lang.thread.run(unknown source) i have tried re-installing firefox, older versions of java runtime environments, disabling proxy. what missing? application working on other machines. i spent around 100 hours finding s
Read more

c# - how to use buttonedit in devexpress gridcontrol -

-
Image
i trying create gridcontrol buttonedit in 1 of columns. when user clicks button edit, popups form select product. when selection done on popup, returns datarow selection main grid below. but when column loses focus, value wrote column disappear. here code creates gridcontrol's data , buttonedit's click event. private void frmsiparisnew_load(object sender, eventargs e) { dt = new datatable(); dt.columns.add("malzeme_kodu",typeof(string)); dt.columns.add("malzeme_aciklama", typeof(string)); dt.columns.add("adet", typeof(decimal)); dt.columns.add("birim", typeof(string)); dt.columns.add("fiyat", typeof(decimal)); dt.columns.add("kur", typeof(string)); dt.columns.add("tutar", typeof(decimal)); datarow dr = dt.newrow(); dt.rows.add(dr); gc.datasource = dt; } private void repositoryitembuttoneditmal
Read more

nvd3.js - angularjs-nvd3-directives setting color in legend as well as in chart elements -

-
good morning i using angularjs-nvd3-directives, great, having difficulties when setting color of multi bar chart ( http://cmaurer.github.io/angularjs-nvd3-directives/multi.bar.chart.html ). the show legend works well: <div ng-controller="examplectrl"> <nvd3-multi-bar-chart data="exampledata" id="showlegendexample" width="550" height="300" showxaxis="true" showyaxis="true" xaxistickformat="xaxistickformatfunction()" showlegend="true"> <svg></svg> </nvd3-multi-bar-chart> </div> but when add option in conjunction color="colorfunction()" where, var colorarray = ['#ff0000', '#0000ff', '#ffff00', '#00ffff']; $scope.colorfunction = function() { return function(d, i) { return colorarray[i]; }; } the color of cha
Read more