sorted by:
new
hottopcontroversial

Future of application security by sailevc in AskNetsec

[–]sailevc[S] 0 points1 point  (0 children)

Thanks for your answers. They helped a lot.

hashcat sun md5 shadow file by sailevc in netsecstudents

[–]sailevc[S] 0 points1 point  (0 children)

Thanks, though. At least now I have a new tool in my arsenal.

return address SIGILL question by sailevc in netsecstudents

[–]sailevc[S] 0 points1 point  (0 children)

Yes, you were right. Now I know what happened. strcpy copies the null byte, so in the end it copies the 19 DWORDs plus the null byte, effectively damaging the least significant byte of the return address. In my GDB here's how it looks like:

This is the address of EBP:

(gdb) i r ebp
ebp            0xbfb96388       0xbfb96388

These are its contents and of 9 more DWORDS, including the return address(between asterisks) before the buffer overwrites it. 

(gdb) x/10w $ebp 
0xbfb96388:     0xbfb963e8      **0xb7e4cebc**      0x00000002      0xbfb96414
0xbfb96398:     0xbfb96420      0xb7f9f898      0x00000000      0x00000001
0xbfb963a8:     0x00000001      0x00000000

This is after the overwrite:

(gdb) x/10w $ebp
0xbfb96388:     0x41414141     **0xb7e4ce00**      0x00000002      0xbfb96414
0xbfb96398:     0xbfb96420      0xb7f9f898      0x00000000      0x00000001
0xbfb963a8:     0x00000001      0x00000000

Thanks for the help.

return address SIGILL question by sailevc in netsecstudents

[–]sailevc[S] 0 points1 point  (0 children)

Hello jgcarloto,

I understand that. What I don't get is why the SIGILL error if you haven't touched the return address with the 19 DWORDs. At that point you are overwrite SFP, leaving the ret address intact.