0

I have the below assembly code global _start 

section .text

_start:
    jmp call
pop:
    pop ecx                     ; ECX = address of hello
    xor eax, eax                ; EAX = 0
    xor al, al                   ; EAX = 4 (int 0x80 sys_write)
    inc al
    inc al
    inc al
    inc al
    xor ebx, ebx
    inc ebx                    //Does not work inside exploit
    xor edx, edx
    mov dl, hellolen            ; EDX = length of hello string
    int 0x80

    ; Terminate program
    xor eax, eax
    inc eax                    //Does not work inside exploit
    xor ebx, ebx                ; EBX = return value of 0
    int 0x80
call:
    call pop
    hello: db "Hello World!Ho are you!!!!!"
hellolen equ $-hello

The above code works properly and gives the proper output when run independently.

But when I take objdump of the same and if I try to run through buffer overflow I get the following issues.

Here inc al increments al value properly but inc eax or inc ebx

Could be because in the objdump it shows inc al --> fe c0 inc ebx --> 43 //some one byte number

I also tried the following methods to update eax and ebx

xor ebx, ebx
xor bl, bl
inc bl
movsx ebx, bl
;inc ebx

But here movsx opcode is 0x0f and it does not work as I encounter null terminated string(\x0x\x0f ).

Improve this question
18
  • "[...]here movsx opcode is 0x0f[...]". Luckily you don't need that instruction because it doesn't change anything: EBX is 1 and a sign-extend does not have any effect. Commented Mar 10, 2019 at 19:22
  • I need to increment ebx somehow. What do you mean by I don't need that instruction? Commented Mar 10, 2019 at 19:24
  • MOVSX does not increment EBX at all - it sign-extends its value - which is 1 - from BL to EBX, and so it does nothing, because sign-extending 1 just fills the upper bits with zeroes that are already there due to the XOR EBX,EBX. Commented Mar 10, 2019 at 19:26
  • 2
    Great, I said I bet it contains ELF 64-bit . The exploit you wrote is specifically for 32-bit. Your encountering odd behaviour because the instruction encoding of a 32-bit program is different than 64-bit. The instructions are being misinterpreted by the CPU and yielding odd behaviour. Let me know how you make out with the shellcode.asm example in the other answer that uses syscall. Also note it uses -f elf64 when assembling with NASM (That is important) Commented Mar 10, 2019 at 20:03
  • 1
    Okay, so regarding 0x0f the program may have been designed to not accept 0x0f deliberately. Until you told me this was for course work and you don't have the source (of ./victim) I was unsure about anything related to the target. In that other answer I linked to you will want to work off the second shellcode.asm example that eliminated the 0x00(NUL bytes).If you can't use 0x0f you will have to get creative to find instructions that don't use that byte as well. Commented Mar 10, 2019 at 20:14
Related questions
7
Buffer overflow attack format
6
Dillema with buffer overflow
2
Experimental buffer overflow in Ubuntu 10 (assembly)
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.