[Fwd: Re: wargame issue]

[haad <haaaad () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- -------- Original Message --------
Subject: Re: wargame issue
Date: Thu, 15 Sep 2005 02:09:41 +0200
From: haad <haaaad () gmail com>
To: Q nix <qnix () bsdmail org>,  security-basics () securityfocus com
References: <20050913175416.C1A617B49F () ws5-10 us4 outblaze com>

Q nix wrote:
> ----- Original Message -----
> From: haad <haaaad () gmail com>
> To: security-basics () securityfocus com
> Subject: wargame issue
> Date: Tue, 13 Sep 2005 10:25:20 +0200
>
>
> I 'm playing one wargame in www.hackerslab.org but I have problem with
> level in which i need to exploit bound checking.
>
> How can I exploit this.Some theory will be useful or some links to
> exploiting technics too;)
>
> I know that this application doesn't check input string , with long
> string I able to SEg fault this application.
>
> Cheers

> Send me the sourcecode if you have it ... and i´ll help you with it !!

> Qnix - Qnix () bsdmail org

> regards,


So I have started studding in this level. I have found old article made
by Aleph one on phrack ,but i have problem with understand it or better
with testing it in real world .


Aleph said :
 example1.c:
- -
-
------------------------------------------------------------------------------
void function(int a, int b, int c) {
   char buffer1[5];
   char buffer2[10];
}

void main() {
  function(1,2,3);
}
- -
-
------------------------------------------------------------------------------

   To understand what the program does to call function() we compile it
with gcc using the -S switch to generate assembly code output:

$ gcc -S -o example1.s example1.c

   By looking at the assembly language output we see that the call to
function() is translated to:

        pushl $3
        pushl $2
        pushl $1
        call function
    This pushes the 3 arguments to function backwards into the stack,
and calls function().  The instruction 'call' will push the instruction
pointer (IP) onto the stack.  We'll call the saved IP the return address
(RET).  The first thing done in function is the procedure prolog:

        pushl %ebp
        movl %esp,%ebp
        subl $20,%esp

   This pushes EBP, the frame pointer, onto the stack.  It then copies
the current SP onto EBP, making it the new FP pointer.  We'll call the
saved FP pointer SFP.  It then allocates space for the local variables
by subtracting their size from SP.

   We must remember that memory can only be addressed in multiples of
the word size.  A word in our case is 4 bytes, or 32 bits.  So our 5
byte buffer is really going to take 8 bytes (2 words) of memory, and our
10 byte buffer is going to take 12 bytes (3 words) of memory.  That is
why SP is being subtracted by 20.



I try to compile this code an view assembly source but i see thi in my
function prolog
        
        pushl   %ebp
        movl    %esp, %ebp
        subl    $40, %esp

i have my stack subtracted by 40. Why ??? I don't understand .

I make some tests and i think because of new gcc but i am not sure .

:)

can you help with this??


Cheers Adam

- --

Linux is for people who hate windows NetBSD is for people who love UNIX.

                                


- --

Linux is for people who hate windows NetBSD is for people who love UNIX.

                                
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDL9m19Wt2FT7y228RApx1AJ99O9ADSIYilh6Zv+T73wI93kJMBwCfT+1Y
nqhaHownaW4M+DxpfQJzXYM=
=p1P1
-----END PGP SIGNATURE-----