Tuesday, April 26, 2011

Exploit writing-2

If you are reading this article for the first time please read my later article exploit writing -1 .

Lets continue the exploit writing -1

let's open the program in  GDB(gnome debugger) and try to  find the offset needed to trigger an overwrite

like you can see here SSP has reported a segmentation fault that means we were able to overwrite the EIP register .

Now lets look at the all the registries through info registries command

Here you can notice the list of registries and the address in the hex format (x/ADDRESS)

Lets check for the ESP register , here you can see that esp is located at 0xbfa87f00

Now if we can find the ESP register address before the execution of strcpy function then we will be able to execute the malicious code .

so now lets see the source code of our program by list command in gdb and we have to keep a break point at the strcpy function .

Now you can also see how to keep the breakpoint in the picture , here we were able to figure out the address of the ESP register i.e, 0xbffff26c

Now lets subtract the 200bytes from the esp address 

You may get a doubt why should we subtract the 200bytes ??

answer for that question is for overwriting the EIP register we need to subtract the 200bytes from the intital address of the esp register then we will copy the esp-200bytes address into eip register which will tigger the overflow .So if you subtract the ESP address with 200bytes we will get 0xbffff06c

To be continued ... in next tutorial we will see the shell code generation


Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Vamshi krishnam raju | Bloggerized by Vamshi krishnam raju - Vamshi krishnam raju | Vamshi krishnam raju