Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ; *************************************************************************
- ; 32-bit Windows Console Buffer Overflow Program
- ; Created by Ismael Vazquez (@iamismael_)
- ; *************************************************************************
- .386 ; Enable 80386+ instruction set
- .model flat, stdcall ; Flat, 32-bit memory model (not used in 64-bit)
- option casemap: none ; Case insensitive syntax
- ; *************************************************************************
- ; MASM32 proto types for Win32 functions and structures
- ; *************************************************************************
- include c:\masm32\include\kernel32.inc
- include c:\masm32\include\masm32.inc
- include c:\masm32\include\msvcrt.inc
- ; *************************************************************************
- ; MASM32 object libraries
- ; *************************************************************************
- includelib c:\masm32\lib\kernel32.lib
- includelib c:\masm32\lib\masm32.lib
- includelib c:\masm32\lib\msvcrt.lib
- ; *************************************************************************
- ; External function definitions
- ; *************************************************************************
- strcpy proto C, :DWORD, :DWORD
- ; *************************************************************************
- ; Our data section. Here we declare our strings for our message
- ; *************************************************************************
- .data
- arg1 db "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBCCCCC", 00h
- ; *************************************************************************
- ; Our executable assembly code starts here in the .code section
- ; *************************************************************************
- .code
- start:
- Main Proc
- ; function prologue
- push ebp
- mov ebp, esp
- ; add 20 bytes of stack space for local variables
- ; 4 = DWORD
- ; 16 = char array
- sub esp, 014h
- ; int var1 = 0x1337
- mov dword ptr [esp], 01337h
- ; Load the address of ESP(minus the 4 bytes we reserved for our DWORD) into EAX
- lea eax, dword ptr [esp + 04h]
- ; Mimicking command line argument(72 bytes long)
- push offset arg1
- ; pass our destination buffer to strcpy
- push eax
- call strcpy
- ; clear arguments to strcpy off the stack
- add esp, 08h
- ; function epilogue
- pop ebp
- mov esp, ebp
- ; exit
- push 0h
- call ExitProcess
- ret
- Main EndP
- end start
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement