If you are reading this article for the first time please read my later article exploit writing -1 .
Lets continue the exploit writing -1
let's open the program in GDB(gnome debugger) and try to find the offset needed to trigger an overwrite
like you can see here SSP has reported a segmentation fault that means we were able to overwrite the EIP register .
Now lets look at the all the registries through info registries command
Here you can notice the list of registries and the address in the hex format (x/ADDRESS)
Lets check for the ESP register , here you can see that esp is located at 0xbfa87f00
Now if we can find the ESP register address before the execution of strcpy function then we will be able to execute the malicious code .
so now lets see the source code of our program by list command in gdb and we have to keep a break point at the strcpy function .
Lets continue the exploit writing -1
let's open the program in GDB(gnome debugger) and try to find the offset needed to trigger an overwrite
like you can see here SSP has reported a segmentation fault that means we were able to overwrite the EIP register .
Now lets look at the all the registries through info registries command
Here you can notice the list of registries and the address in the hex format (x/ADDRESS)
Lets check for the ESP register , here you can see that esp is located at 0xbfa87f00
Now if we can find the ESP register address before the execution of strcpy function then we will be able to execute the malicious code .
so now lets see the source code of our program by list command in gdb and we have to keep a break point at the strcpy function .
Now you can also see how to keep the breakpoint in the picture , here we were able to figure out the address of the ESP register i.e, 0xbffff26c
Now lets subtract the 200bytes from the esp address
You may get a doubt why should we subtract the 200bytes ??
answer for that question is for overwriting the EIP register we need to subtract the 200bytes from the intital address of the esp register then we will copy the esp-200bytes address into eip register which will tigger the overflow .So if you subtract the ESP address with 200bytes we will get 0xbffff06c
To be continued ... in next tutorial we will see the shell code generation
0 comments:
Post a Comment