Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lecture cpp level cpp_lec02 not exploitable? #37

Open
soffensive opened this issue Feb 19, 2018 · 0 comments
Open

Lecture cpp level cpp_lec02 not exploitable? #37

soffensive opened this issue Feb 19, 2018 · 0 comments

Comments

@soffensive
Copy link

soffensive commented Feb 19, 2018

It seems the binary cannot be exploited as intended:

0x08048b6d <+0>: push ebp
0x08048b6e <+1>: mov ebp,esp
0x08048b70 <+3>: and esp,0xfffffff0
0x08048b73 <+6>: sub esp,0x60
0x08048b76 <+9>: mov eax,DWORD PTR [ebp+0xc]
0x08048b79 <+12>: mov DWORD PTR [esp+0xc],eax
0x08048b7d <+16>: mov eax,gs:0x14
0x08048b83 <+22>: mov DWORD PTR [esp+0x5c],eax
0x08048b87 <+26>: xor eax,eax
0x08048b89 <+28>: lea eax,[esp+0x18]
0x08048b8d <+32>: mov DWORD PTR [esp],eax
0x08048b90 <+35>: call 0x8048cd6 <_ZN7GreeterC2Ev>
0x08048b95 <+40>: mov DWORD PTR [esp],0x8048d9c
0x08048b9c <+47>: call 0x8048a40 printf@plt
0x08048ba1 <+52>: call 0x8048c74 <_Z9doNothingv>
0x08048ba6 <+57>: lea eax,[esp+0x1c]
0x08048baa <+61>: mov DWORD PTR [esp],eax
0x08048bad <+64>: call 0x80489f0 gets@plt
0x08048bb2 <+69>: mov DWORD PTR [esp+0x4],0x8048dd9
0x08048bba <+77>: lea eax,[esp+0x1c]
0x08048bbe <+81>: mov DWORD PTR [esp],eax
0x08048bc1 <+84>: call 0x8048a60 strcmp@plt
0x08048bc6 <+89>: test eax,eax
0x08048bc8 <+91>: jne 0x8048bdd <main+112>
0x08048bca <+93>: lea eax,[esp+0x18]
0x08048bce <+97>: mov DWORD PTR [esp],eax
0x08048bd1 <+100>: call 0x8048bf6 <_Z5greetP7Greeter>
0x08048bd6 <+105>: mov eax,0x0
0x08048bdb <+110>: jmp 0x8048be2 <main+117>
0x08048bdd <+112>: mov eax,0x1
0x08048be2 <+117>: mov edx,DWORD PTR [esp+0x5c]
0x08048be6 <+121>: xor edx,DWORD PTR gs:0x14
0x08048bed <+128>: je 0x8048bf4 <main+135>
0x08048bef <+130>: call 0x8048a50 __stack_chk_fail@plt
0x08048bf4 <+135>: leave
0x08048bf5 <+136>: ret

The buffer is allocated at esp+0x1c and has a size of 0x40 (64 bytes) and thus extend up to 0x5c.
Yet, the only thing we can overflow is the stack cookie at 0x5c, how is it possible to overwrite the vtable pointer, which is allocated at 0x18?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant