The lea (Load Effective Address) instructions at locations 08049A64, 08049A77, and
08049A83 in Figure 12-8 compute the address of the variables outf, init_cwd, and cmd
respectively. This lets us know that these three variables are character arrays, while the
fact that filename and keyword are used directly lets us know that they are character
pointers. To exploit this function call, we need to know if this sprintf() call can be made
to generate a string not only larger than the size of the cmd array, but also large enough
to reach the saved return address on the stack. Double-clicking any of the variables just
named will bring up the stack frame window for the manage_request() function
(which contains this particular sprintf() call) centered on the variable that was clicked.
The stack frame is displayed in Figure 12-9 with appropriate names applied and array
aggregation already complete.
Figure 12-9 indicates that the cmd buffer is 512 bytes long and that the 1032-byte
init_cwd buffer lies between cmd and the saved return address at offset 00000004. Simple
math tells us that we need sprintf() to write 1552 bytes (512 for cmd, 1032 bytes for
init_cwd, 4 bytes for the saved frame pointer, and 4 bytes for the saved return address) of
Chapter 12: Passive Analysis
301
PART IV
Figure 12-9 The relevant stack arguments for sprintf()
data into cmd in order to completely overwrite the return address.
Pages:
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543