Attack on Stack [Part 3]; Smash the Stack Visualization: Building on Fundaments, Analyzation Trilogy Conclusion.

Apr 25, 2015 12:41 PM
May 15, 2015 06:25 PM
635655360563227538.jpg

Hi everyone!

Last time we explained what roles Ebp and Esp registers have. We first introduced function's stack frame building, return address and calling conventions, but left some of the concepts floating without a full stop.

Today's Topic

Today we are going to complete the analysis of the Assembly code to finally move on to Exploitation in the following parts of the guide.

Recalling the last steps of the previous part, we explained what's the purpose of the function prologue, how Ebp and Esp registers are used to refer data in memory and stack frames with some GDB examples, trying to find out how the program's argument is pushed into mains()'s stack frame with the help of local and global pointers.

Today we are focusing on echo()'s Assembly representation: after concluding the explanation of the last lines in main() before echo()'s call (responsible for passing arguments to the next function), we will move to

function calling. If last time I briefly explained how stack frames are built and destroyed, today I'm analyzing how it is done trough Assembly code.

Make sure you read the previous part of the guide to be able to understand this one.

After echo()'s function prologue, we are going to explain every instruction in echo() to then go back to main() and conclude this first section of the guide.

If this sounds a little bit annoying to you, don't worry, because next time, we are going to dive deep in Exploitation fundaments, and with style!

Concluding Main()'s Explanation

Where we analyze from instruction 12 to 20, based on what last time's experience.

635655321223761487.jpg
635655323960322464.jpg
635655321223761487.jpg
635655323960322464.jpg

Disassembling Echo()

Where we iterate trough every instruction in echo(), trying to understand how is eax used and where is the buffer placed in memory.

635655325171066693.jpg
635655325840938425.jpg
635655326301912592.jpg
635655326727594506.jpg
635655327233284914.jpg
635655325171066693.jpg
635655325840938425.jpg
635655326301912592.jpg
635655326727594506.jpg
635655327233284914.jpg

Graphical Representation of Stack Frame Building: Recap

As an epilogue to this trilogy and an overture to exploitation, let's summarize every step of the stack frame construction, so that we can move on to exploitation:

635655329764177243.jpg
635655330245321342.jpg
635655329764177243.jpg
635655330245321342.jpg

References

Aleph1's "Smashing the Stack for Fun and Profit"

"Hacking, The Art of Exploitation"

"Buffer Overflow Demistified" by murat.

"The Shellcoder's Handbook"

Part 1 of "Attack On Stack"

Part 2 of "Attack On Stack"

Part 4 of "Attack On Stack"

Part 5 of "Attack On Stack"

Part 6 of "Attack On Stack"

Prelude to Reverse Engineering: IDA and Hopper Binary Patching Introduction

Side Note to Null Byte Users

Hey Everyone! How is it going?

Sorry if this part was shorter than usual, but I don't want to spoil you anything from the next series about exploitation! The next part will follow a different style, while still being based on pictures obviously.

Recently Null Byte is more and more active, a lot of new creators have joint us, which is really awesome.

Keep coming for the next parts (probably 5 or 6) as we explore exploitation fundaments and developing! I also encourage you to check the resources. I have a lot of them, and will probably gather all of the useful links that I used in a special part of the series, tell me if you want them sooner and I'll provide them to you all.

Again, thanks for being there Null Byters!

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!