do a ulimit -c 10000 so you can get core dumps make the program sgev... then try gdb -q ./abo10 core. You are looking to overwrite the eip with 0x41414141 I believe. Once you control the eip you need to change it to point to your shellcode. You should certainly read through smashing the stack for fun and profit... -KF Jeremy Junginger wrote: >Hey guys, >Thanks for all of the great feedback about assembler and c. I was >playing with the code at: >http://community.core-sdi.com/~gera/InsecureProgramming/abo1.html >(Thanks for the link, Claes) >And if it is run, it produces a segmentation fault. After running gdb >against the program, I obtain the following data: > >[rewt@n00bB0x]# gdb abo1 > >Copyright 2001 Free Software Foundation, Inc. >GDB is free software, covered by the GNU General Public License, and you >are >welcome to change it and/or distribute copies of it under certain >conditions. >Type "show copying" to see the conditions. >There is absolutely no warranty for GDB. Type "show warranty" for >details. >This GDB was configured as "i386-redhat-linux"... >(gdb) disass main >Dump of assembler code for function main: >0x8048460 <main>: push %ebp >0x8048461 <main+1>: mov %esp,%ebp >0x8048463 <main+3>: sub $0x108,%esp >0x8048469 <main+9>: sub $0x8,%esp >0x804846c <main+12>: mov 0xc(%ebp),%eax >0x804846f <main+15>: add $0x4,%eax >0x8048472 <main+18>: pushl (%eax) >0x8048474 <main+20>: lea 0xfffffef8(%ebp),%eax >0x804847a <main+26>: push %eax >0x804847b <main+27>: call 0x804834c <strcpy> >0x8048480 <main+32>: add $0x10,%esp >0x8048483 <main+35>: leave >0x8048484 <main+36>: ret >0x8048485 <main+37>: lea 0x0(%esi),%esi >0x8048488 <main+40>: nop >0x8048489 <main+41>: nop >0x804848a <main+42>: nop >0x804848b <main+43>: nop >0x804848c <main+44>: nop >0x804848d <main+45>: nop >0x804848e <main+46>: nop >0x804848f <main+47>: nop >End of assembler dump. >(gdb) quit > >[rewt@n00bB0x]# > >I guess I don't really know where to go from here. I see that the >buffer has space form 256 bytes. Okay, so I run ./abo1 AAAAAAAA(256 >times) and it runs okay, then when I run ./abo1 with AAAA(more than >256X) it returns with a segmentation fault. The part I'm not >understanding is, after I've overflowed the buffer, how do I know where >the next bytes will be stored? Will they be stored at the next memory >address (in this case 0x8048480)? Once you know where they are stored, >how can you append your code, do you just do a >AAAAAA(howevermanytimesyouneedit) and then append your code to the end >of it? > >Thanks for fielding these beginner questions. They're embarrassing to >ask, but everyone's gotta start somewhere. > >-Jeremy > > >-----Original Message----- >From: Kim Reece [mailto:sorelat_private] >Sent: Monday, July 15, 2002 4:53 PM >To: Knud Erik Hxjgaard >Cc: Jeremy Junginger; vuln-devat_private >Subject: Re: Assembler/C References > > > >"art of assembly" - i forget the author name, but it's a very good book >and a simple google search will turn it up > >plus just about any 'advanced' c book, i.e. one that doesn't assume you >are incapable of understanding an if statement and need kindergarden >style graphics to not get bored. > > >--sorel >
This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 13:51:11 PDT