API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 25th, 2017
113
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.17 KB | None | 0 0
raw download clone embed print report
  1. 32-bit stack overflow
  2.  
  3. Dump of assembler code for function main:
  4. 0x0804850e <+0>: lea 0x4(%esp),%ecx
  5. 0x08048512 <+4>: and $0xfffffff0,%esp
  6. 0x08048515 <+7>: pushl -0x4(%ecx)
  7. 0x08048518 <+10>: push %ebp
  8. 0x08048519 <+11>: mov %esp,%ebp
  9. 0x0804851b <+13>: push %ecx
  10. 0x0804851c <+14>: sub $0x14,%esp
  11. 0x0804851f <+17>: mov %gs:0x14,%eax
  12. 0x08048525 <+23>: mov %eax,-0xc(%ebp)
  13. 0x08048528 <+26>: xor %eax,%eax
  14. 0x0804852a <+28>: call 0x80484cb <func>
  15. 0x0804852f <+33>: movl $0x1,-0x10(%ebp)
  16. 0x08048536 <+40>: sub $0x8,%esp
  17. 0x08048539 <+43>: lea -0x10(%ebp),%eax
  18. 0x0804853c <+46>: push %eax
  19. 0x0804853d <+47>: push $0x80485f0
  20. 0x08048542 <+52>: call 0x8048370 <printf@plt>
  21. 0x08048547 <+57>: add $0x10,%esp
  22. 0x0804854a <+60>: mov $0x0,%eax
  23. 0x0804854f <+65>: mov -0xc(%ebp),%edx
  24. 0x08048552 <+68>: xor %gs:0x14,%edx
  25. 0x08048559 <+75>: je 0x8048560 <main+82>
  26. ---Type <return> to continue, or q <return> to quit---
  27. 0x0804855b <+77>: call 0x8048390 <__stack_chk_fail@plt>
  28. 0x08048560 <+82>: mov -0x4(%ebp),%ecx
  29. 0x08048563 <+85>: leave
  30. 0x08048564 <+86>: lea -0x4(%ecx),%esp
  31. 0x08048567 <+89>: ret
  32. End of assembler dump.
  33. (gdb) break *0x08048518
  34. Breakpoint 1 at 0x8048518: file overflow.c, line 11.
  35. (gdb) break *0x08048519
  36. Breakpoint 2 at 0x8048519: file overflow.c, line 11.
  37. (gdb) break *0x0804851b
  38. Breakpoint 3 at 0x804851b: file overflow.c, line 11.
  39. (gdb) break *0x0804851c
  40. Breakpoint 4 at 0x804851c: file overflow.c, line 11.
  41. (gdb) break *0x0804851f
  42. Breakpoint 5 at 0x804851f: file overflow.c, line 11.
  43. (gdb) break *0x0804852a
  44. Breakpoint 6 at 0x804852a: file overflow.c, line 12.
  45. (gdb) run
  46. Starting program: /home/haydar/Desktop/overflow
  47.  
  48. Breakpoint 1, 0x08048518 in main () at overflow.c:11
  49. 11 int main() {
  50. (gdb) i r
  51. eax 0xb7fbedbc -1208226372
  52. ecx 0xbffff170 -1073745552
  53. edx 0xbffff194 -1073745516
  54. ebx 0x0 0
  55. esp 0xbffff15c 0xbffff15c
  56. ebp 0x0 0x0
  57. esi 0x1 1
  58. edi 0xb7fbd000 -1208233984
  59. eip 0x8048518 0x8048518 <main+10>
  60. eflags 0x286 [ PF SF IF ]
  61. cs 0x73 115
  62. ss 0x7b 123
  63. ds 0x7b 123
  64. es 0x7b 123
  65. fs 0x0 0
  66. gs 0x33 51
  67. (gdb) disass main
  68. Dump of assembler code for function main:
  69. 0x0804850e <+0>: lea 0x4(%esp),%ecx
  70. 0x08048512 <+4>: and $0xfffffff0,%esp
  71. 0x08048515 <+7>: pushl -0x4(%ecx)
  72. => 0x08048518 <+10>: push %ebp
  73. 0x08048519 <+11>: mov %esp,%ebp
  74. 0x0804851b <+13>: push %ecx
  75. 0x0804851c <+14>: sub $0x14,%esp
  76. 0x0804851f <+17>: mov %gs:0x14,%eax
  77. 0x08048525 <+23>: mov %eax,-0xc(%ebp)
  78. 0x08048528 <+26>: xor %eax,%eax
  79. 0x0804852a <+28>: call 0x80484cb <func>
  80. 0x0804852f <+33>: movl $0x1,-0x10(%ebp)
  81. 0x08048536 <+40>: sub $0x8,%esp
  82. 0x08048539 <+43>: lea -0x10(%ebp),%eax
  83. 0x0804853c <+46>: push %eax
  84. 0x0804853d <+47>: push $0x80485f0
  85. 0x08048542 <+52>: call 0x8048370 <printf@plt>
  86. 0x08048547 <+57>: add $0x10,%esp
  87. 0x0804854a <+60>: mov $0x0,%eax
  88. 0x0804854f <+65>: mov -0xc(%ebp),%edx
  89. 0x08048552 <+68>: xor %gs:0x14,%edx
  90. 0x08048559 <+75>: je 0x8048560 <main+82>
  91. ---Type <return> to continue, or q <return> to quit---q
  92. Quit
  93. (gdb) x/20x $ebp
  94. 0x0: Cannot access memory at address 0x0
  95. (gdb) x/20x $esp
  96. 0xbffff15c: 0xb7e1f276 0x00000001 0xb7fbd000 0x00000000
  97. 0xbffff16c: 0xb7e1f276 0x00000001 0xbffff204 0xbffff20c
  98. 0xbffff17c: 0x00000000 0x00000000 0x00000000 0xb7fbd000
  99. 0xbffff18c: 0xb7fffc04 0xb7fff000 0x00000000 0x00000001
  100. 0xbffff19c: 0xb7fbd000 0x00000000 0xbbd9de2c 0x87df523c
  101. (gdb) cont
  102. Continuing.
  103.  
  104. Breakpoint 2, 0x08048519 in main () at overflow.c:11
  105. 11 int main() {
  106. (gdb) x/20x $ebp
  107. 0x0: Cannot access memory at address 0x0
  108. (gdb) x/20x $esp
  109. 0xbffff158: 0x00000000 0xb7e1f276 0x00000001 0xb7fbd000
  110. 0xbffff168: 0x00000000 0xb7e1f276 0x00000001 0xbffff204
  111. 0xbffff178: 0xbffff20c 0x00000000 0x00000000 0x00000000
  112. 0xbffff188: 0xb7fbd000 0xb7fffc04 0xb7fff000 0x00000000
  113. 0xbffff198: 0x00000001 0xb7fbd000 0x00000000 0xbbd9de2c
  114. (gdb) cont
  115. Continuing.
  116.  
  117. Breakpoint 3, 0x0804851b in main () at overflow.c:11
  118. 11 int main() {
  119. (gdb) disass main
  120. Dump of assembler code for function main:
  121. 0x0804850e <+0>: lea 0x4(%esp),%ecx
  122. 0x08048512 <+4>: and $0xfffffff0,%esp
  123. 0x08048515 <+7>: pushl -0x4(%ecx)
  124. 0x08048518 <+10>: push %ebp
  125. 0x08048519 <+11>: mov %esp,%ebp
  126. => 0x0804851b <+13>: push %ecx
  127. 0x0804851c <+14>: sub $0x14,%esp
  128. 0x0804851f <+17>: mov %gs:0x14,%eax
  129. 0x08048525 <+23>: mov %eax,-0xc(%ebp)
  130. 0x08048528 <+26>: xor %eax,%eax
  131. 0x0804852a <+28>: call 0x80484cb <func>
  132. 0x0804852f <+33>: movl $0x1,-0x10(%ebp)
  133. 0x08048536 <+40>: sub $0x8,%esp
  134. 0x08048539 <+43>: lea -0x10(%ebp),%eax
  135. 0x0804853c <+46>: push %eax
  136. 0x0804853d <+47>: push $0x80485f0
  137. 0x08048542 <+52>: call 0x8048370 <printf@plt>
  138. 0x08048547 <+57>: add $0x10,%esp
  139. 0x0804854a <+60>: mov $0x0,%eax
  140. 0x0804854f <+65>: mov -0xc(%ebp),%edx
  141. 0x08048552 <+68>: xor %gs:0x14,%edx
  142. 0x08048559 <+75>: je 0x8048560 <main+82>
  143. ---Type <return> to continue, or q <return> to quit---q
  144. Quit
  145. (gdb) x/20x $ebp
  146. 0xbffff158: 0x00000000 0xb7e1f276 0x00000001 0xb7fbd000
  147. 0xbffff168: 0x00000000 0xb7e1f276 0x00000001 0xbffff204
  148. 0xbffff178: 0xbffff20c 0x00000000 0x00000000 0x00000000
  149. 0xbffff188: 0xb7fbd000 0xb7fffc04 0xb7fff000 0x00000000
  150. 0xbffff198: 0x00000001 0xb7fbd000 0x00000000 0xbbd9de2c
  151. (gdb) x/20x $esp
  152. 0xbffff158: 0x00000000 0xb7e1f276 0x00000001 0xb7fbd000
  153. 0xbffff168: 0x00000000 0xb7e1f276 0x00000001 0xbffff204
  154. 0xbffff178: 0xbffff20c 0x00000000 0x00000000 0x00000000
  155. 0xbffff188: 0xb7fbd000 0xb7fffc04 0xb7fff000 0x00000000
  156. 0xbffff198: 0x00000001 0xb7fbd000 0x00000000 0xbbd9de2c
  157. (gdb) cont
  158. Continuing.
  159.  
  160. Breakpoint 4, 0x0804851c in main () at overflow.c:11
  161. 11 int main() {
  162. (gdb) x/20x $ebp
  163. 0xbffff158: 0x00000000 0xb7e1f276 0x00000001 0xb7fbd000
  164. 0xbffff168: 0x00000000 0xb7e1f276 0x00000001 0xbffff204
  165. 0xbffff178: 0xbffff20c 0x00000000 0x00000000 0x00000000
  166. 0xbffff188: 0xb7fbd000 0xb7fffc04 0xb7fff000 0x00000000
  167. 0xbffff198: 0x00000001 0xb7fbd000 0x00000000 0xbbd9de2c
  168. (gdb) x/20x $esp
  169. 0xbffff154: 0xbffff170 0x00000000 0xb7e1f276 0x00000001
  170. 0xbffff164: 0xb7fbd000 0x00000000 0xb7e1f276 0x00000001
  171. 0xbffff174: 0xbffff204 0xbffff20c 0x00000000 0x00000000
  172. 0xbffff184: 0x00000000 0xb7fbd000 0xb7fffc04 0xb7fff000
  173. 0xbffff194: 0x00000000 0x00000001 0xb7fbd000 0x00000000
  174. (gdb) cont
  175. Continuing.
  176.  
  177. Breakpoint 5, main () at overflow.c:11
  178. 11 int main() {
  179. (gdb) x/20x $ebp
  180. 0xbffff158: 0x00000000 0xb7e1f276 0x00000001 0xb7fbd000
  181. 0xbffff168: 0x00000000 0xb7e1f276 0x00000001 0xbffff204
  182. 0xbffff178: 0xbffff20c 0x00000000 0x00000000 0x00000000
  183. 0xbffff188: 0xb7fbd000 0xb7fffc04 0xb7fff000 0x00000000
  184. 0xbffff198: 0x00000001 0xb7fbd000 0x00000000 0xbbd9de2c
  185. (gdb) x/20x $esp
  186. 0xbffff140: 0x00000001 0xbffff204 0xbffff20c 0x08048591
  187. 0xbffff150: 0xb7fbd3dc 0xbffff170 0x00000000 0xb7e1f276
  188. 0xbffff160: 0x00000001 0xb7fbd000 0x00000000 0xb7e1f276
  189. 0xbffff170: 0x00000001 0xbffff204 0xbffff20c 0x00000000
  190. 0xbffff180: 0x00000000 0x00000000 0xb7fbd000 0xb7fffc04
  191. (gdb) cont
  192. Continuing.
  193.  
  194. Breakpoint 6, main () at overflow.c:12
  195. 12 func();
  196. (gdb) x/20x $ebp
  197. 0xbffff158: 0x00000000 0xb7e1f276 0x00000001 0xb7fbd000
  198. 0xbffff168: 0x00000000 0xb7e1f276 0x00000001 0xbffff204
  199. 0xbffff178: 0xbffff20c 0x00000000 0x00000000 0x00000000
  200. 0xbffff188: 0xb7fbd000 0xb7fffc04 0xb7fff000 0x00000000
  201. 0xbffff198: 0x00000001 0xb7fbd000 0x00000000 0xbbd9de2c
  202. (gdb) x/20x $esp
  203. 0xbffff140: 0x00000001 0xbffff204 0xbffff20c 0xfd0ea200
  204. 0xbffff150: 0xb7fbd3dc 0xbffff170 0x00000000 0xb7e1f276
  205. 0xbffff160: 0x00000001 0xb7fbd000 0x00000000 0xb7e1f276
  206. 0xbffff170: 0x00000001 0xbffff204 0xbffff20c 0x00000000
  207. 0xbffff180: 0x00000000 0x00000000 0xb7fbd000 0xb7fffc04
  208. (gdb) cont
  209. Continuing.
  210. AAAAAAAAAABBBBBBBBBB //10 Bytes buffer pass 'B's
  211. AAAAAAAAAABBBBBBBBBB //printf
  212. *** stack smashing detected ***: /home/haydar/Desktop/overflow terminated
  213.  
  214. Program received signal SIGABRT, Aborted.
  215. 0xb7fd9d05 in __kernel_vsyscall ()
  216. (gdb)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!