Ahmad Mahfouz

Random notes

SMASH THE STACK LEVEL3

pretty good level I learned a few new stuff

so lets hit the game

fighting with the app till it crashes and hell yeah we start from fault 😀

so we need to see what’s going on

much assembly to read but there is some stuff interesting

strlen memcpy memset

but the natural feeling memcpy is our way 😛

lets see what inside esp

you will notice that our A’z life  in the memory  this is a good point that we are on the track

also, I found the source code is available  it will save us sometimes to understand what the app do

2 functions good,bad

good drop the shell

bad function says some stuff

the main function lets see the logic of the app

 

one line function functionpinter == bad function

setting limit t to char buffer to 50 😀 this is how u do it !!!.

if statement to check if the argument less  than 4 char to return 0

send argv1 data to the buffer

 

override the memory of the buffer

then call the function functionpointer(); == bad 😀

u call the bad function and i will call ur …..

okay  now we know what’s going on

lets do the hard work

so lets do a break point after the memcpy love

 

run the gdb again with 60 char data

(gdb) r $(python -c “print ‘A’ * 60”)

and take a look of the ESP

 

here is our data

now we want to jump to function good 😀  so lets print function address’s

0x08048474 good this our target lets reverse it

\x74\x84\x04\x08

lets send the payload

the app say sorry 🙂 and exit on address 0x80484a4

after re-looking what happen in ESP

 

we will notice that space  between 0x41414141 and 0x080484a4 16 bit

so lets add more 16bit to the payload

new process <3

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.