E-Bärs Xopedia

User Tools

Site Tools

Trace:
ex:vcode:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ex:vcode:start [2023/03/09 06:40] titannetex:vcode:start [2023/07/31 05:51] (current) titannet
Line 16: Line 16:
 } }
  
-<code>+</code>
  
 ====== Stack 1 ====== ====== Stack 1 ======
  
- +<file example1.c c>
-<code c>+
 #include <stdio.h> #include <stdio.h>
 #include <string.h> #include <string.h>
Line 27: Line 26:
    
  
-char buffer[50];+char buffer[20];
  
 int copy_buffer(char *input_buffer) { int copy_buffer(char *input_buffer) {
Line 53: Line 52:
 } }
                
 +</file>
 +
 +===== Walkthrough Windbg =====
 +
 +<code bash>
 +cl.exe /Zi /GS- /EH-
 +# debugging symbols, no stack security, no seh (not working??)
 +
 +bp $exentry (if no symbols)
 +bp example1!main
 +# F5
 +# debug -> make sure that source mode is unchecked
 +
 +# x86 calling convention: parameter 1-3 on stack
 +# x86 function prolog: push ebp, mov ebp, esp
 +# [ebp+8] == local variable
 +
 +# dd esp -> first address on stack == return pointer
 +# dd ebp -> old base pointer
 +# dd poi(ebp+8)
 +
 </code> </code>
 +
  
  
Line 120: Line 141:
  
  
 +</code>
  
  
 +====== Heap2-2 ======
 +
 +
 +<code c>
 +#include <stdlib.h>
 +#include <unistd.h>
 +#include <string.h>
 +#include <sys/types.h>
 +#include <stdio.h>
 +
 +// Use after free example, original code from https://exploit.education
 +
 +#define SERVICE_SIZE 32
 +
 +struct AuthStruct {
 +  char name[32];
 +  int is_authenticated;
 +};
 +
 +struct AuthStruct *auth;
 +char *service;
 +
 +int main(int argc, char **argv)
 +{
 +  char line[128];
 +
 +  while(1) {
 +    printf("[ auth = %p, service = %p ]\n", auth, service);
 +    if(fgets(line, sizeof(line), stdin) == NULL) break;
 +    
 +    if(strncmp(line, "user ", 5) == 0) {
 +      auth = malloc(sizeof(*auth));
 +      memset(auth, 0, sizeof(*auth));
 +      if(strlen(line + 5) < 31) {
 +        strcpy(auth->name, line + 5);
 +      }
 +    }
 +    if(strncmp(line, "reset", 5) == 0) {
 +      free(auth);
 +    }
 +    if(strncmp(line, "service", 6) == 0) {
 +      service = malloc(SERVICE_SIZE);
 +      strcpy(service, line+7);
 +    }
 +    if(strncmp(line, "login", 5) == 0) {
 +      if(auth->is_authenticated) {
 +        printf("you have logged in already!\n");
 +      } else {
 +        printf("please enter your password\n");
 +      }
 +    }
 +  }
 +}
  
 </code> </code>
  
ex/vcode/start.1678340444.txt.gz · Last modified: 2023/03/09 06:40 by titannet
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki