(fix): bof.s
This commit is contained in:
parent
d8178c293c
commit
45cc265531
12
bof.s
12
bof.s
@ -36,7 +36,7 @@
|
|||||||
mov %rax, %rdi # } #
|
mov %rax, %rdi # } #
|
||||||
call gets@plt # #
|
call gets@plt # #
|
||||||
#---------------------------------------------------------------#-----------------------------------------------#
|
#---------------------------------------------------------------#-----------------------------------------------#
|
||||||
# Knowing that the buffer size is 8 and that there are no protections on this binary, we can overflow the #
|
# Knowing that the buffer size is 8 and that there are no protections on this binary, we can overflow the #
|
||||||
# buffer to call a function such as `_get_rich_fast`. This is because the stack also contains a saved base #
|
# buffer to call a function such as `_get_rich_fast`. This is because the stack also contains a saved base #
|
||||||
# pointer (1) to know where to jump back to at the of the function. After inputting the correct amount of #
|
# pointer (1) to know where to jump back to at the of the function. After inputting the correct amount of #
|
||||||
# any data, for example, the character 'a' to fill the buffer, the stack looks like this: #
|
# any data, for example, the character 'a' to fill the buffer, the stack looks like this: #
|
||||||
@ -71,18 +71,20 @@
|
|||||||
call printf@plt #-----------------------------------------------#
|
call printf@plt #-----------------------------------------------#
|
||||||
# Since this function is not called in the #
|
# Since this function is not called in the #
|
||||||
#---------------------------------------------------------------# program, the goal is to jump to this #
|
#---------------------------------------------------------------# program, the goal is to jump to this #
|
||||||
jmp _exit # function (_get_rich_fast) via overflow. #
|
jmp _bye # function (_get_rich_fast) via overflow. #
|
||||||
#---------------------------------------------------------------#-----------------------------------------------#
|
#---------------------------------------------------------------#-----------------------------------------------#
|
||||||
_start: # #
|
_start: # #
|
||||||
push %rbp # push the frame pointer #
|
push %rbp # push the frame pointer #
|
||||||
call _get_input # call our input retrieving function #
|
call _get_input # call our input retrieving function #
|
||||||
|
mov $0, %rax # clean up rax #
|
||||||
pop %rbp # cleanup, jump to our exit routine #
|
pop %rbp # cleanup, jump to our exit routine #
|
||||||
jmp _exit # #
|
jmp _bye # #
|
||||||
#---------------------------------------------------------------#-----------------------------------------------#
|
#---------------------------------------------------------------#-----------------------------------------------#
|
||||||
_exit: # exit(0) #
|
_bye: # exit(0) #
|
||||||
mov $60, %al #-----------------------------------------------#
|
mov $60, %al #-----------------------------------------------#
|
||||||
xor %rdi, %rdi # sys_exit = 60 (dec) #
|
xor %rdi, %rdi # sys_exit = 60 (dec) #
|
||||||
syscall # exit code = 0 #
|
syscall # exit code 0 #
|
||||||
|
retq # bye bye #
|
||||||
#---------------------------------------------------------------#-----------------------------------------------#
|
#---------------------------------------------------------------#-----------------------------------------------#
|
||||||
# #
|
# #
|
||||||
#---------------------------------------------------------------------------------------------------------------#
|
#---------------------------------------------------------------------------------------------------------------#
|
||||||
|
Loading…
Reference in New Issue
Block a user