I try to achieve stack smashing when I have only the executable file . I use the objdump to get the assembly code for this source code :
#include<stdio.h>
#include<string.h>
void func(char *str) {
char buffer[24];
int *ret;
strcpy(buffer,str);
}
int main(int argc, char **argv) {
int x;
x = 0;
func(argv[1]);
x = 1;
printf("%d\n”,x);
}
at run time ./a,out (value)....I need to insert the (value ) in such away I insert the NOP in stack location and that last part of (value) is the address of my next instruction. I have 40 byte before reaching the location that contain the return address of the fun() .
08048444 <func>:
8048444: 55 push %ebp
8048445: 89 e5 mov %esp,%ebp
8048447: 83 ec 48 sub $0x48,%esp
804844a: 8b 45 08 mov 0x8(%ebp),%eax
804844d: 89 45 d4 mov %eax,-0x2c(%ebp)
8048450: 65 a1 14 00 00 00 mov %gs:0x14,%eax
8048456: 89 45 f4 mov %eax,-0xc(%ebp)
8048459: 31 c0 xor %eax,%eax
804845b: 8b 45 d4 mov -0x2c(%ebp),%eax
804845e: 89 44 24 04 mov %eax,0x4(%esp)
8048462: 8d 45 dc lea -0x24(%ebp),%eax
8048465: 89 04 24 mov %eax,(%esp)
8048468: e8 eb fe ff ff call 8048358 <strcpy@plt>
804846d: 8b 45 f4 mov -0xc(%ebp),%eax
8048470: 65 33 05 14 00 00 00 xor %gs:0x14,%eax
8048477: 74 05 je 804847e <func+0x3a>
8048479: e8 fa fe ff ff call 8048378 <__stack_chk_fail@plt>
804847e: c9 leave
804847f: c3 ret
08048480 <main>:
8048480: 55 push %ebp
8048481: 89 e5 mov %esp,%ebp
8048483: 83 e4 f0 and $0xfffffff0,%esp
8048486: 83 ec 20 sub $0x20,%esp
8048489: c7 44 24 1c 00 00 00 movl $0x0,0x1c(%esp)
8048490: 00
8048491: 8b 45 0c mov 0xc(%ebp),%eax
8048494: 83 c0 04 add $0x4,%eax
8048497: 8b 00 mov (%eax),%eax
8048499: 89 04 24 mov %eax,(%esp)
804849c: e8 a3 ff ff ff call 8048444 <func>
80484a1: c7 44 24 1c 01 00 00 movl $0x1,0x1c(%esp)
80484a8: 00
80484a9: b8 90 85 04 08 mov $0x8048590,%eax
80484ae: 8b 54 24 1c mov 0x1c(%esp),%edx
80484b2: 89 54 24 04 mov %edx,0x4(%esp)
80484b6: 89 04 24 mov %eax,(%esp)
80484b9: e8 aa fe ff ff call 8048368 <printf@plt>
80484be: b8 00 00 00 00 mov $0x0,%eax
80484c3: c9 leave
80484c4: c3 ret
80484c5: 90 nop
80484c6: 90 nop
problem if I insert 00 its consider as (31) ASCII .How I can insert hex values.
... I hope the Que is clear
objdump -w -Mintel :
08048444 <func>:
8048444: 55 push ebp
8048445: 89 e5 mov ebp,esp
8048447: 83 ec 48 sub esp,0x48
804844a: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
804844d: 89 45 d4 mov DWORD PTR [ebp-0x2c],eax
8048450: 65 a1 14 00 00 00 mov eax,gs:0x14
8048456: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
8048459: 31 c0 xor eax,eax
804845b: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
804845e: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
8048462: 8d 45 dc lea eax,[ebp-0x24]
8048465: 89 04 24 mov DWORD PTR [esp],eax
8048468: e8 eb fe ff ff call 8048358 <strcpy@plt>
804846d: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048470: 65 33 05 14 00 00 00 xor eax,DWORD PTR gs:0x14
8048477: 74 05 je 804847e <func+0x3a>
8048479: e8 fa fe ff ff call 8048378 <__stack_chk_fail@plt>
804847e: c9 leave
804847f: c3 ret
08048480 <main>:
8048480: 55 push ebp
8048481: 89 e5 mov ebp,esp
8048483: 83 e4 f0 and esp,0xfffffff0
8048486: 83 ec 20 sub esp,0x20
8048489: c7 44 24 1c 00 00 00 00 mov DWORD PTR [esp+0x1c],0x0
8048491: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
8048494: 83 c0 04 add eax,0x4
8048497: 8b 00 mov eax,DWORD PTR [eax]
8048499: 89 04 24 mov DWORD PTR [esp],eax
804849c: e8 a3 ff ff ff call 8048444 <func>
80484a1: c7 44 24 1c 01 00 00 00 mov DWORD PTR [esp+0x1c],0x1
80484a9: b8 90 85 04 08 mov eax,0x8048590
80484ae: 8b 54 24 1c mov edx,DWORD PTR [esp+0x1c]
80484b2: 89 54 24 04 mov DWORD PTR [esp+0x4],edx
80484b6: 89 04 24 mov DWORD PTR [esp],eax
80484b9: e8 aa fe ff ff call 8048368 <printf@plt>
80484be: b8 00 00 00 00 mov eax,0x0`
You could use
./a.out $(perl -e "print '\x97';")and replace \x97 by the hex you want to use.