bfu/bl
2
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

(docs): finish

Browse Source
This commit is contained in:
bfu4 2022-03-22 13:08:03 -04:00
parent a896711866
commit 824a6a079d
No known key found for this signature in database
GPG Key ID: FD1D952871D22043
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
bof.s
View File

@ -49,14 +49,15 @@
# | x | x | x | x | x | x | x | x | 6a | 11 | 40 | 00 | <-- saved bp (1) | #
# |___|___|___|___|___|___|___|___|____|____|____|____|___________________| #
# #
# woohoo more information
# Since we don't really care what is in the memory where the x's are, we can put anything there. We want #
# to modify the base pointer, so we know that we want to replace the stored address 0x40116a. However, #
# since the binary is little endian (LSB), when we want to overwrite the memory, our input will have to #
# follow that format. Instead of writing {0x40, 0x10, 0x47} to stdin, we will write {0x47, 0x10, 0x40} to #
# be able to write 0x401047 (the address we want to jump to). #
#
#
#
#
# Allowing us to craft the final payload: "aaaaaaaa\x0\x0\x0\x0\x0\x0\x0\x0\x47\x10\x40". #
# This allows us to craft the final payload: "aaaaaaaaaaaaaaaa\x47\x11\x40". #
#---------------------------------------------------------------------------------------------------------------#
# Execution: bash -c 'printf "aaaaaaaa\x0\x0\x0\x0\x0\x0\x0\x0\x47\x10\x40" | ./bof.elf' #
# Execution: bash -c 'printf "aaaaaaaaaaaaaaaa\x47\x11\x40" | ./bof.elf' #
#---------------------------------------------------------------#-----------------------------------------------#
nop # #
leave # END OF FUNCTION #