Menu
I recently started using GDB for a class and I've been struggling a bit. I have an assignment where I have to do the Lab 1 exercise 2 that needs me to search for two vulnerabilities within the code and do the following with them:
The first must overwrite a return address on the stack, and the second must overwrite some other data structure that you will use to take over the control flow of the program.
I already overflowed the data structure, which what I think it's talking about is the EIP which points to what other instruction it will do.
Now how do I get to the return address (RET) of the frame? Any frame, it doesn't matter, I just want to know how I can calculate the bytes between the RET and maybe the ESP so I can subtract it and get the length. I just started with GDB so take it easy on me.
614
To get the location of the stored return address of a specific function, you can place a breakpoint at that function and use the info frame command.
When a call is executed, the instruction is read from the address in EIP, EIP is incremented past the call instruction and this updated EIP (i.e. the address of the instruction after the call) is pushed onto the stack - it becomes the return address - and the function address is loaded into EIP as the next instruction ...
To overwrite return address from -0x28(%ebp) , we need to write 0x4 - (-0x28) bytes (44 bytes). We have 23 bytes shell code. We need 21 bytes padding to make our payload be 44 bytes to reach return address. We need 4 bytes malicious return address, we take \x11\x11\x11\x11 at the moment, as we don't yet know.
R14 is also called the Link Register (LR). This is used for holding the return address when calling a function or subroutine.
Now how do I get to the return address (RET) of the frame?
To get the location of the stored return address of a specific function, you can place a breakpoint at that function and use the info frame command.
Here is an example:
gdb /path/to/binary (gdb) br main (gdb) run Starting program: /path/to/binary Breakpoint 1, 0x08048480 in main () (gdb) info frame Stack level 0, frame at 0xffffd700: eip = 0x8048480 in main; saved eip = 0xf7e3ca63 Arglist at 0xffffd6f8, args: Locals at 0xffffd6f8, Previous frame's sp is 0xffffd700 Saved registers: ebp at 0xffffd6f8, eip at 0xffffd6fc Note the saved eip = 0xf7e3ca63 and eip at 0xffffd6fc. In this case you will want to overwrite the value at 0xffffd6fc so that when the function returns execution will continue at the value you stored there.
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
