RE: wargame issue

[<ankush.kapoor () wipro com>]

Hope this isn't too late to post!!

Similar thing came up on this on another list recently. The reason is that when Aleph wrote the tutorial, sizeof int 
was 2. But nowadays its generally 4. That's why you get these shifts in addresses (keep this in mind when calculating 
offsets to overflow)

Hope this helps.

Ankush

PS: A little bit of a spoiler here... Have been thru quite a few rounds on hackerslab... One of the programs by Aleph 
to create the eggshell work on this level, just look at the code closely and give it the correct arguments! ;) Enuf 
said!

-----Original Message-----
From: haad [mailto:haaaad () gmail com]
Sent: Thursday, September 15, 2005 5:40 AM
To: Q nix; security-basics () securityfocus com
Subject: Re: wargame issue


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Q nix wrote:
> ----- Original Message -----
> From: haad <haaaad () gmail com>
> To: security-basics () securityfocus com
> Subject: wargame issue
> Date: Tue, 13 Sep 2005 10:25:20 +0200
>
>
> I 'm playing one wargame in www.hackerslab.org but I have problem with
> level in which i need to exploit bound checking.
>
> How can I exploit this.Some theory will be useful or some links to
> exploiting technics too;)
>
> I know that this application doesn't check input string , with long
> string I able to SEg fault this application.
>
> Cheers

> Send me the sourcecode if you have it ... and i´ll help you with it !!

> Qnix - Qnix () bsdmail org

> regards,


So I have started studding in this level. I have found old article made by Aleph one on phrack ,but i have problem with 
understand it or better with testing it in real world .


Aleph said :
 example1.c:
-
------------------------------------------------------------------------------
void function(int a, int b, int c) {
   char buffer1[5];
   char buffer2[10];
}

void main() {
  function(1,2,3);
}
-
------------------------------------------------------------------------------

   To understand what the program does to call function() we compile it with gcc using the -S switch to generate 
assembly code output:

$ gcc -S -o example1.s example1.c

   By looking at the assembly language output we see that the call to
function() is translated to:

        pushl $3
        pushl $2
        pushl $1
        call function
    This pushes the 3 arguments to function backwards into the stack, and calls function().  The instruction 'call' 
will push the instruction pointer (IP) onto the stack.  We'll call the saved IP the return address (RET).  The first 
thing done in function is the procedure prolog:

        pushl %ebp
        movl %esp,%ebp
        subl $20,%esp

   This pushes EBP, the frame pointer, onto the stack.  It then copies the current SP onto EBP, making it the new FP 
pointer.  We'll call the saved FP pointer SFP.  It then allocates space for the local variables by subtracting their 
size from SP.

   We must remember that memory can only be addressed in multiples of the word size.  A word in our case is 4 bytes, or 
32 bits.  So our 5 byte buffer is really going to take 8 bytes (2 words) of memory, and our 10 byte buffer is going to 
take 12 bytes (3 words) of memory.  That is why SP is being subtracted by 20.



I try to compile this code an view assembly source but i see thi in my function prolog

        pushl   %ebp
        movl    %esp, %ebp
        subl    $40, %esp

i have my stack subtracted by 40. Why ??? I don't understand .

I make some tests and i think because of new gcc but i am not sure .

:)

can you help with this??


Cheers Adam

- --

Linux is for people who hate windows NetBSD is for people who love UNIX.

                        
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDKLvF9Wt2FT7y228RArbHAKCr/5U3Ag0X+Xrtta5/GqPVMUZ9cgCgsSkA
guVr4+PFjXhN7JawU5Obyh8=
=Jnk4
-----END PGP SIGNATURE-----



Confidentiality Notice

The information contained in this electronic message and any attachments to this message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged information. If
you are not the intended recipient, please notify the sender at Wipro or Mailadmin () wipro com immediately
and destroy all copies of this message and any attachments.