all right, so now what we wanna do is actually try and exploit this.
In our last run, we just gave it for a input and they showed up in memory,
and they seem to be, well, backwards.
And here's our return address right here. We recall that is the next instruction in Maine to be executed. So we want to overwrite that return address
really discount how many bites we need as we'll see
later exercises. That's not always going to be the case, but we put in forays before your five, the No.
6789 It looks like we need nine bites of padding
and then, naturally, four bites to a writer turned address hex. Two digits of the bite.
on by departing and then four bites to overwrite their turn address again. In this case, we can discount.
So let's run this again. That's run, and then
nine A's and B's, but eventually we're going to have to use scripting. Anyways, when we start using a return address, it's made of hex instead of just some bees.
So let's go ahead and do that if we do the dollar sign and then open parentheses, we can run the script here. So could you Python or Pearl or any scripting language that this
a bunch of system knows?
So we're gonna use Python for the rest of our exercises. So why don't we use python here? So do Python dash C to tell it to run a command.
I've been single quotes and I want to scratch
So, of course, around be times for so that's a
There are 40 one's times nine for patting, and then be which will be the next
number in hex, which is 42 again, you could look at an ask each art for that. If you
are not familiar with these
and for bees is going to be overriding.
I return address here, so this should make the program cry. Should we want to close up our
man? So we need a single quote here at the end
and then closed parenthesis. Who was going to tell it? Execute the script and whatever the output is is going to be
So in this case, we could have just typed out the A's, But again, we want to turn this into an actual Hexi decimal address. But the only way to do it is using scripting. We just like type and you're a 04844 free. It will take that as a different one, bite characters instead of hex decimal. So
go ahead and run this. Our break points are still going to be set. We can delete them. Or if we restart HGTV, they'll go away. But otherwise they will stay, and we want them for now.
Leave them. Go and run it.
All right, So we hit our first break point again. That is, in Maine. So before we call function
who we can examine the ex Lodge?
I believe it was 12 bytes. Just leave it, say 16 again. We'll just do too many.
So 16 hicks. A decimal words from ESPN, and that is the top of main stock frame
notice that we have moved up the stacks. Um, so where our last digits are
whereas previously in Maine, I believe we were see zero. This is the return address, and this is top of Maine, who have moved up to stack some
that is to be expected. One of the things that makes a difference about where you end up in the stack
is going to be feeling to the argument. So since we
did change the length of the argument, we should expect to move somewhat.
Shouldn't change our next round, since we've got her
13 character input, so we should expect to be in the same place next time.
But there's nothing to worry about.
What we really care about is our offsets to make sure that our nine A's post for bees will
overwrite that return address. So as long as our stack rings of the same legs and our data is going in, the same police inside the stack cream, our addresses don't securely matter.
Okay, so let's examine to make sure that our start for him is the same size was just examined. One hexi decimal word from E V P
this is still main stack frames. They're still rather short 12 bytes.
All right, let's go ahead and continue
move us into function where we had our second break point.
We use Thea Pero to grab previous commands I will again. Look Att dsp?
Now we have moved up more
notice. What hasn't changed here is we're still have the returns dressed. You're a zero for 84 or three.
We can again do a disassemble.
I mean to see that. So here is our coal to function.
When that returns the next address to be executed.
You're 80 for 8443 such a return address.
E v p. Again. Remember ESPN EVP or now
inside a function stack frame.
same size stack for him here.
All right, so let's continue and hit this drink. Copy? Let that execute
another great point right after the string. Copy.
or stack, we have our 41 over here by itself again, all 40 one's. Here is our big days begins here and then where the return address was, we indeed have 42 42 42 42 for upper case Be so our offense Air correct. And we have managed to overwrite that return address. Who is going to happen now is that
the program will just continue on us
blindly does it will get rid of stack. Frame here will be wound off the stack,
and it would just automatically try and load this address so low that address in the I P. And always do info registers. I didn't mention that broken do info registers here and see all of our registers
again are 42 42 42. 42 will be loaded into the I P. Whatever is at that address, if anything, will be executed next after function returns. If 42 42 42 42 is not that map to an executed herbal portion of memory,
then we will get a segmentation fault and it will crash.
Most likely what's going to happen here There. There's no rule that says 42 42 43 42 could not be a valid memory address. You may find cases where it will be who we shouldn't just blindly assume the program's going to crash, but often it will just go ahead and continue.
This time, we do not get executed. Normally pretty out to the screen, we get a segmentation fault, so it's trying to execute 42 42 42 42. And that's not mapped anywhere. So there's no instruction. They're to be executed. So the program, the stars of its hands and crashes.
So we called it a mile of service condition. But surely we can do better, right?
So let's see, Indeed, if we can.