#---------------------------------------------------------------------------------------------------------------#
# description: handwritten program running gets to a buffer of [8] to exemplify a quick and dirty		#
# buffer overflow exploit.											#
#														#
# objectives: SY0-601 1.3, 2.3, 3.2										#
#														#
# intended environment: DOCKER - kalilinux/kali-last-release:latest						#
#														#
# author: bfu													#
# file: bof.s													#
# binary: bof.elf												#
# 														#
# assembler: GNU Assembler (as or GAS)										#
# assemble: as --gstabs+ bof.s -o bof.o										#
# link: gcc -no-pie -nostartfiles -z execstack -ggdb -fno-stack-protector bof.o -o bof.elf			#
#---------------------------------------------------------------#----------------------------------------------	#
.code64								#  not required, but specifying we're 64-bit :) #
#---------------------------------------------------------------#-----------------------------------------------#
								#		~ read only data ~             	#
.section .rodata						#-----------------------------------------------#
	money_str: 	.string "woohoo!! free money\n"		#  this is the string we're going to print on	#
								#  	     successful exploitation	       	#
#---------------------------------------------------------------#-----------------------------------------------#
.section .text							#		~  text section  ~		#
								#-----------------------------------------------#
	.globl		_start					#     make it known that `_start` is global	#
								#-----------------------------------------------#
	.extern		printf					#		    (FROM LIBC)			#
	.extern		gets					#	   printf(char*,...), gets(char*)	#
#---------------------------------------------------------------#-----------------------------------------------#
	_get_input:						#  						#
		push	%rbp					#  	    void _get_input(void) { 		#
		mov	%rsp, %rbp				#     		char ptr[8];			#
		sub	$0x10, %rsp				#     		gets(ptr);			#
		lea    -0x8(%rbp),%rax				#     		return;				#
		mov	%rax, %rdi				# 	    }					#
		call	gets@plt				#						#
#---------------------------------------------------------------#-----------------------------------------------#
#    Knowing that the buffer size is 8 and that there are no protections on this binary, we can overflow the    #
#    buffer to call a function such as `_get_rich_fast`. This is because the stack also contains a saved base   #
#    pointer (1) to know where to jump back to at the of the function. After inputting the correct amount of    #
#    any data, for example, the character 'a' to fill the buffer, the stack looks like this:			#
#														#
#    _______________________________________________________________________					#
#   | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |  8 |  9 |  a |  b |  c |  d |  e |  f |					#
#   |---|---|---|---|---|---|---|---|----|----|----|----|----|----|----|----|					#
#   | / | / | / | / | / | / | / | / | 61 | 61 | 61 | 61 | 61 | 61 | 61 | 61 |					#
#   |---|---|---|---|---|---|---|---|----|----|----|----|----|----|----|----|					#
#   | x | x | x | x | x | x | x | x | 63 | 10 | 40 | 00 | <-- saved bp (1)  |					#
#   |___|___|___|___|___|___|___|___|____|____|____|____|___________________|					#
#														#
#    Since we don't really care what is in the memory where the x's are, we can put anything there. We want	#
#    to modify the base pointer, so we know that we want to replace the stored address 0x40116a. However, 	#
#    since the binary is little endian (LSB), when we want to overwrite the memory, our input will have to	#
#    follow that format. Instead of writing {0x40, 0x10, 0x47} to stdin, we will write {0x47, 0x10, 0x40} to	#
#    be able to write 0x401047 (the address we want to jump to).						#
#														#
#    This allows us to craft the final payload: "aaaaaaaaaaaaaaaa\x47\x10\x40".					#
#---------------------------------------------------------------------------------------------------------------#
#    Execution: bash -c 'printf "aaaaaaaaaaaaaaaa\x47\x10\x40" | ./bof.elf'					#
#---------------------------------------------------------------#-----------------------------------------------#
		nop						# 						#
		leave						#		 END OF FUNCTION		#
		ret						#						#
#---------------------------------------------------------------#-----------------------------------------------#
	_get_rich_fast:						#						#
		push	%rbp					#       void _get_rich_fast(void) {		#
		mov	%rsp, %rbp				#          printf(money_str); // .rodata	#
		lea	money_str, %rdi				#       }					#
		mov	%rdi, %rax				#						#
		call	printf@plt				#-----------------------------------------------#
								#    Since this function is not called in the   #
#---------------------------------------------------------------#    program, the goal is to jump to this 	#
		jmp	_bye					#     function (_get_rich_fast) via  overflow.	#
#---------------------------------------------------------------#-----------------------------------------------#
	_start:							#						#
		push	%rbp					#           push the frame pointer		#
		call	_get_input				#      call our input retrieving function	#
		mov	$0, %rax				#                clean up rax			#
		pop	%rbp					#      cleanup, jump to our exit routine	#
		jmp	_bye					#						#
#---------------------------------------------------------------#-----------------------------------------------#
	_bye:							#		     exit(0) 			#
		mov 	$60, %al				#-----------------------------------------------#
		xor 	%rdi, %rdi				#		 sys_exit = 60 (dec)		#
		syscall						#		    exit code 0			#
		retq 						#		     bye bye			#
#---------------------------------------------------------------#-----------------------------------------------#
#														#
#---------------------------------------------------------------------------------------------------------------#