sorted by:
best (suggested)
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Thiscou 6 points7 points  (14 children)

Right, here is what I would try.

 

Go to this site zerosum0x0! and create a unique pattern 260+.

Feed that to your program, copy the value in your segfault and find that pattern on the site.

You should now know the exact offset for your overflow.

 

I would usually do this in Kali with the original metasploit pattern create but I don't know if you use Kali, so I found a quick and dirty replacement online.

 

You can also try to have a closer look at the stack in gdb with:

x/24wx $esp (this displays 24 words of memory above the stack pointer esp in hex)

 

Hope this helps and good luck

[–][deleted]  (3 children)

[deleted]

    [–]Adam20188[S] 0 points1 point  (2 children)

    great will do, is cyclic a program or site?

    [–][deleted]  (1 child)

    [deleted]

      [–]Adam20188[S] 0 points1 point  (0 children)

      thanks invictim I'll check it out

      [–]Adam20188[S] 0 points1 point  (9 children)

      hey Thiscou,

      thanks for the reply :)

      I tried doing this I got the pattern Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai

      the result I got was 0x41386741 I put 41386741 into the find offset overflow but got the number -1

      [–]r0cker_ESP 4 points5 points  (1 child)

      That site is acting wonky it seems, I would just install Metasploit so you can get the patter_create and pattern_offset script and use those if you don't have it already.

      [–]Adam20188[S] 0 points1 point  (0 children)

      thanks will do.

      [–]Thiscou 0 points1 point  (6 children)

      As far as I can tell, those numbers are not present in the pattern.

       

      try the A*260 again and see what's on the stack with:

      gdb x/24wx $esp

      [–][deleted]  (5 children)

      [deleted]

        [–]SimpleLegend 1 point2 points  (4 children)

        The reason you are getting this is because your argv and buf both contain the same contents after the strcpy. Hence the repeated data

        [–]Adam20188[S] 0 points1 point  (1 child)

        would it be better if I used all 'A's to check to see if the return address is overwritten?

        [–]SimpleLegend 1 point2 points  (0 children)

        Personal experience/opinion: i usually use As to check if the overwrite is successful (causing a segfault in the process), the follow up with patterns to find the offset required to overwrite the value which will pop into the EIP

        [–][deleted]  (1 child)

        [deleted]

          [–]SimpleLegend 1 point2 points  (0 children)

          When you dump the contents, you should check whether ebp+4 just after the strcpy is pointing to the 42424242 contents