[Fwd: Re: wargame issue]

From: haad (haaaad_at_gmail.com)
Date: 09/20/05

  • Next message: Alexander Klimov: "Re: HTML/Java protection"
    Date: Tue, 20 Sep 2005 11:43:18 +0200
    To: security-basics@securityfocus.com, Q nix <qnix@bsdmail.org>

    Hash: SHA1

    - -------- Original Message --------
    Subject: Re: wargame issue
    Date: Thu, 15 Sep 2005 02:09:41 +0200
    From: haad <haaaad@gmail.com>
    To: Q nix <qnix@bsdmail.org>, security-basics@securityfocus.com
    References: <20050913175416.C1A617B49F@ws5-10.us4.outblaze.com>

    Q nix wrote:
    > ----- Original Message -----
    > From: haad <haaaad@gmail.com>
    > To: security-basics@securityfocus.com
    > Subject: wargame issue
    > Date: Tue, 13 Sep 2005 10:25:20 +0200
    > I 'm playing one wargame in www.hackerslab.org but I have problem with
    > level in which i need to exploit bound checking.
    > How can I exploit this.Some theory will be useful or some links to
    > exploiting technics too;)
    > I know that this application doesn't check input string , with long
    > string I able to SEg fault this application.
    > Cheers

    > Send me the sourcecode if you have it ... and iŽll help you with it !!

    > Qnix - Qnix@bsdmail.org

    > regards,

    So I have started studding in this level. I have found old article made
    by Aleph one on phrack ,but i have problem with understand it or better
    with testing it in real world .

    Aleph said :
    - -
    void function(int a, int b, int c) {
       char buffer1[5];
       char buffer2[10];

    void main() {
    - -

       To understand what the program does to call function() we compile it
    with gcc using the -S switch to generate assembly code output:

    $ gcc -S -o example1.s example1.c

       By looking at the assembly language output we see that the call to
    function() is translated to:

            pushl $3
            pushl $2
            pushl $1
            call function
        This pushes the 3 arguments to function backwards into the stack,
    and calls function(). The instruction 'call' will push the instruction
    pointer (IP) onto the stack. We'll call the saved IP the return address
    (RET). The first thing done in function is the procedure prolog:

            pushl %ebp
            movl %esp,%ebp
            subl $20,%esp

       This pushes EBP, the frame pointer, onto the stack. It then copies
    the current SP onto EBP, making it the new FP pointer. We'll call the
    saved FP pointer SFP. It then allocates space for the local variables
    by subtracting their size from SP.

       We must remember that memory can only be addressed in multiples of
    the word size. A word in our case is 4 bytes, or 32 bits. So our 5
    byte buffer is really going to take 8 bytes (2 words) of memory, and our
    10 byte buffer is going to take 12 bytes (3 words) of memory. That is
    why SP is being subtracted by 20.

    I try to compile this code an view assembly source but i see thi in my
    function prolog
            pushl %ebp
            movl %esp, %ebp
            subl $40, %esp

    i have my stack subtracted by 40. Why ??? I don't understand .

    I make some tests and i think because of new gcc but i am not sure .


    can you help with this??

    Cheers Adam

    - --

    Linux is for people who hate windows NetBSD is for people who love UNIX.


    - --

    Linux is for people who hate windows NetBSD is for people who love UNIX.

    Version: GnuPG v1.4.1 (NetBSD)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    -----END PGP SIGNATURE-----

  • Next message: Alexander Klimov: "Re: HTML/Java protection"

    Relevant Pages

    • Re: Is this math test too easy?
      ... > communications glitch; one of the more laughable cartoons ... it was loaded into physical memory and, ... > Or one can interpret the character string as one of the values ... A pointer to an integer? ...
    • Re: grow list by tail, pointer example recipe -- please comment
      ... manufacturing a pointer with that address. ... the next cons cell. ... believe these lists are in consecutive memory locations. ...
    • Re: some unanswered questions on C
      ... A pointer variable that's never been given a value. ... you don't know what memory you're modifying. ... >what i want to ask is that when i declare my buffer for fgets as ... "char *buffer" creates a pointer, ...
    • Re: "Mastering C Pointers"....
      ... all means go ahead and dive right into the C language. ... Memory is a separate unit which just stores bits. ... A pointer at the hardware level _is an integer_. ... since loops make your logic more much ...
    • Re: what is the purpose of C++ smart pointer
      ... pointer tracks the data it is referring to and updates itself ... following the changes of the memory it points to. ... How exactly will the smart pointer know that you moved the ... int * x = new int; ...