(add): most documentation; fix segfault

2022-03-22 11:31:54 -04:00 · 2022-03-22 11:31:54 -04:00 · a896711866
parent ccad201e3d
commit a896711866
2 changed files with 28 additions and 25 deletions
--- a/3
+++ b/3
@ -3,7 +3,6 @@ TARGET 		:=	$(NAME).elf
 CC		:=	gcc
 STD		:=	c89
 CFLAGS		:=	-std=$(STD) -z execstack -ggdb -fno-stack-protector
-LDFLAGS		:= 	--as-needed -dynamic-linker /lib/ld-linux.so.2 -lc

 all: clean assemble-link

@ -16,4 +15,4 @@ assemble-link: assemble
 	gcc -no-pie -nostartfiles $(CFLAGS) $(NAME).o -o $(TARGET)

 assemble:
-	as $(NAME).s -o $(NAME).o
+	as --gstabs+ $(NAME).s -o $(NAME).o
--- a/bof.s
+++ b/bof.s
@ -11,9 +11,8 @@
 # binary: bof.elf												#
 # 														#
 # assembler: GNU Assembler (as or GAS)										#
-# assemble: as bof.s -o bof.o											#
+# assemble: as --gstabs+ bof.s -o bof.o										#
 # link: gcc -no-pie -nostartfiles -z execstack -ggdb -fno-stack-protector bof.o -o bof.elf			#
-#														#
 #---------------------------------------------------------------#----------------------------------------------	#
 .code64								#  not required, but specifying we're 64-bit :) #
 #---------------------------------------------------------------#-----------------------------------------------#
@ -58,26 +57,31 @@
 #   Allowing us to craft the final payload: "aaaaaaaa\x0\x0\x0\x0\x0\x0\x0\x0\x47\x10\x40".			#
 #---------------------------------------------------------------------------------------------------------------#
 #   Execution: bash -c 'printf "aaaaaaaa\x0\x0\x0\x0\x0\x0\x0\x0\x47\x10\x40" | ./bof.elf'			#
-#---------------------------------------------------------------#-----------------------------------------------#		
-		nop						# 
-		leave						#
-		ret						#
 #---------------------------------------------------------------#-----------------------------------------------#
-	_get_rich_fast:						#
-		push	%rbp					#
-		mov	%rsp, %rbp				#
-		lea	money_str, %rdi				#
-		mov	%rdi, %rax				#
-		call	printf@plt				#
-		pop	%rbp					#
-		nop						#
-		ret						#
+		nop						# 						#
+		leave						#		 END OF FUNCTION		#
+		ret						#						#
 #---------------------------------------------------------------#-----------------------------------------------#
-	_start:							#
-		push	%rbp					#
-		call	_get_input				#
-		pop	%rbp					# TODO: segfault
-		xor	%rax, %rax				#
-		mov	$1, %al					#
-		mov	$0, %rbx				#
-		syscall						#
+	_get_rich_fast:						#						#
+		push	%rbp					#       void _get_rich_fast(void) {		#
+		mov	%rsp, %rbp				#          printf(money_str); // section .data	#
+		lea	money_str, %rdi				#       }					#
+		mov	%rdi, %rax				#						#
+		call	printf@plt				#-----------------------------------------------#
+								#    Since this function is not called in the   #
+#---------------------------------------------------------------#    program, the goal is to jump to this 	#
+		jmp	_exit					#     function (_get_rich_fast) via  overflow.	#
+#---------------------------------------------------------------#-----------------------------------------------#
+	_start:							#						#
+		push	%rbp					#           push the frame pointer		#
+		call	_get_input				#      call our input retrieving function	#
+		pop	%rbp					#      cleanup, jump to our exit routine	#
+		jmp	_exit					#						#
+#---------------------------------------------------------------#-----------------------------------------------#
+	_exit:							#		     exit(0) 			#
+		mov 	$60, %al				#-----------------------------------------------#
+		xor 	%rdi, %rdi				#		 sys_exit = 60 (dec)		#
+		syscall 					#		   exit code = 0		#
+#---------------------------------------------------------------#-----------------------------------------------#
+#														#
+#---------------------------------------------------------------------------------------------------------------#