(fix): bof.s

2022-03-31 11:15:19 -04:00 · 2022-03-31 11:15:19 -04:00 · 45cc265531
commit 45cc265531
parent d8178c293c
1 changed files with 7 additions and 5 deletions
--- a/bof.s
+++ b/bof.s
@ -36,7 +36,7 @@
 		mov	%rax, %rdi				# 	    }					#
 		call	gets@plt				#						#
 #---------------------------------------------------------------#-----------------------------------------------#
-#    Knowing that the buffer size is 8 and that there are no protections on this binary, we can overflow the    # 
+#    Knowing that the buffer size is 8 and that there are no protections on this binary, we can overflow the    #
 #    buffer to call a function such as `_get_rich_fast`. This is because the stack also contains a saved base   #
 #    pointer (1) to know where to jump back to at the of the function. After inputting the correct amount of    #
 #    any data, for example, the character 'a' to fill the buffer, the stack looks like this:			#
@ -71,18 +71,20 @@
 		call	printf@plt				#-----------------------------------------------#
 								#    Since this function is not called in the   #
 #---------------------------------------------------------------#    program, the goal is to jump to this 	#
-		jmp	_exit					#     function (_get_rich_fast) via  overflow.	#
+		jmp	_bye					#     function (_get_rich_fast) via  overflow.	#
 #---------------------------------------------------------------#-----------------------------------------------#
 	_start:							#						#
 		push	%rbp					#           push the frame pointer		#
 		call	_get_input				#      call our input retrieving function	#
+		mov	$0, %rax				#                clean up rax			#
 		pop	%rbp					#      cleanup, jump to our exit routine	#
-		jmp	_exit					#						#
+		jmp	_bye					#						#
 #---------------------------------------------------------------#-----------------------------------------------#
-	_exit:							#		     exit(0) 			#
+	_bye:							#		     exit(0) 			#
 		mov 	$60, %al				#-----------------------------------------------#
 		xor 	%rdi, %rdi				#		 sys_exit = 60 (dec)		#
-		syscall 					#		   exit code = 0		#
+		syscall						#		    exit code 0			#
+		retq 						#		     bye bye			#
 #---------------------------------------------------------------#-----------------------------------------------#
 #														#
 #---------------------------------------------------------------------------------------------------------------#