| |
| |
| |
|
Page: 1 2
Comments:
<0> ok
<0> you need to store the string of what shell command you want to run somewhere
<0> then
<0> you push that address onto the stack
<1> no no :)
<0> and call system
<1> thats exactly what i'm trying to do
<1> i'm overflowing eip
<0> oh
<1> and writing shellcode
<0> heh someone might bitch at you for asking about that here
<0> ok well in any case
<1> hard to find people with some knowledge on that online
<1> :)
<0> if you want system("pause"); to be called once the program has returned into the abused stack frame
<0> you'll still need to store "pause" (string) somewhere, push the address, then call system
<0> but
<0> you'll need to set the eip to the address of the push string instruction
<1> ok
<0> also
<1> u mean something with push esp ?
<0> it would be a good idea to have something after the call to system, so that when system returns you don't have too much unpredictable behaviour
<0> if the string is already somewhere accessable on the stack, then yes
<1> too bad its not
<1> and with this win its all headache
<0> then you'll prob. need to include the string somewhere in your shellcode
<1> yeah
<1> nix/nux is fun just... AAA+adr+shellcode
<0> you're exploiting a buffer overflow?
<1> yes
<1> not in a real prog but
<0> fmt strings bugs can be easier to play with
<1> practice test
<1> heh
<1> was following a book tutorial
<1> but stuck on the asm part
<1> u know any other way to do this ?
<1> push PAUSE ...
<0> hmm another way to get the argument to the function, without using the stack?
<1> pushing arguments into it the other way
<1> in asm i mean
<0> i don't, because the function is very likely to be hard coded to look to the stack for arguments
<0> but
<0> you could put them there manually
<0> with mov and some careful calculation instead of using push
<1> hmm
<1> 004012BA |. C70424 0030400>MOV DWORD PTR SS:[ESP],code.00403000 ; |ASCII "PAUSE"
<1> 004012C1 |. E8 3A050000 CALL <JMP.&msvcrt.system> ; \system
<1> 004012C6 |. B8 00000000 MOV EAX,0
<1> here's the function
<1> leave
<1> ret
<1> follows
<1> how would u mov ?
<0> kinda like how the dis***embly shows i guess
<0> mov ss:[esp], pause-string-address
<0> but... i guess if you used it exactly like that
<0> you'd need to do it just before the call
<1> isn's MOV moving "PAUSE" into memoryin this case ?
<1> and then calls system ?
<1> so (mov memory pause)
<0> the stack is just an arbitrary region of memory, so yes
<1> call (address) ?
<1> so then mov ss:[esp],PAUSE
<1> CALL 0xaddress ?
<1> MOV EAX,0
<0> mov eax, 0 for your return value (of 0)?
<1> bad idea
<1> exept that every thing i try comes with Error: too many memory references for `mov/push'
<0> well
<0> did you try using ';
<0> ';'
<0> to seperate your instructions in the inline asm?
<1> i seperate with \ but ; gives same error
<0> i think you should try the at&t syntax
<0> i don't think it likes intel's much
<0> this might help
<0> http://sig9.com/articles/att-syntax
<1> weird
<1> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccUxaaaa.s:21: Error: junk `F5E0F mov %eax' after expression
<1> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccUxaaaa.s:21: Error: junk `call %eax' after expression
<1> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccUxaaaa.s:21: Error: suffix or operands invalid for `push'
<0> what's the source look like?
<1> http://authors.aspalliance.com/aylar/ViewPasteCode.aspx?PasteCodeID=5781
<1> all of them fail
<0> ok
<0> push (and pop) only take(s) one operand
<0> also
<1> i had some with only one
<0> i saw that, and also if you really must put the addr of system into %eax
<0> try call (%eax)
<0> but
<0> i'd just hardcode the addr as call's operand
<0> also
<0> for at&t syntax, you give hex numbers as 0x5f5e0f for example
<0> with '$' to say it's an immediate value
<0> so $0x5f5e0f
<1> tried that
<1> same
<1> ($eax)
<1> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccaWaaaa.s:21: Error: junk `F5E0F mov %eax' after expression
<1> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccaWaaaa.s:21: Error: junk `call (%eax)' after expression
<1> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccaWaaaa.s:21: Error: suffix or operands invalid for `push'
<1> (%eax)
<0> ok
<0> this 5f5e0f
<0> is this an address of the string that's supposed to read "pause"?
<1> its sleep in kernel32.dll
<1> wait
<1> 5F5E0F = 99999999
<1> as in
<1> sleep(99999999);
<1> diff command
<0> ah
<1> same erros
<0> pushl $0x5f5e0f
<0> call $0x7C41AC6E
<0> dunno what kinda type/size of number sleep expects, but the result could be interesting
<1> it is
<1> Error: junk `call $0x7C41AC6E' after expression
<1> :)
<0> heh ok
<0> __asm__("pushl $0x5f5e0f ; call $0x7C41AC6E");
<1> now i get
<1> Error: suffix or operands invalid for `call'
<1> wow
<1> i did it
<1> 0x7C41AC6E
<1> remove $
<1> ^^
<0> well done
<1> :)
<1> thnx for ur help
<0> np
<1> back to reading "buffer overflow attacks"
<2> Idona27 dcc spam bot
<2> +is a
<3> thanks
<4> dbtid: Seriously - you know where TCA is?
<5> i dont even know what tca is
<5> lol
Return to
#asm
or
Go to some related
logs:
��12What were last delivered to Australia in 1849�
#linux
jarnal error
five-zone archery target
teen titan futa
#MissKitten
epyon undernet
#linux
g0at l33t
#AllNiteCafe
|
|