STACK FRAME & FUNCTION CALL ANALYSIS
RETRIEVING EBP
disassemble the main() to see how the stack is laid out and to get the EBP for the main(). be mindful that each function in a program has its own stack frame, and each of those stack frames includes its own base pointer. The base pointer register is used to reference local variables and parameters for the current function, providing a stable point of reference for accessing data in the stack.
gef> run
Starting program: /...lab03.out
...
$eax : 0xf7fac088 -> 0xffffd17c -> 0xffffd35a -> "SHELL=/bin/bash"
$ebx : 0x0
$ecx : 0xbe2e309b
$edx : 0xffffd104 -> 0x00000000
$esp : 0xffffd0dc -> 0xf7dd9ed5 -> <__libc_start_main+245> add esp, 0x10
$ebp : 0x0
$esi : 0xf7faa000 -> 0x001ead6c
$edi : 0xf7faa000 -> 0x001ead6c
$eip : 0x5655632f -> <main+0> endbr32
$eflags : ...
* this should hit the 1st breakpoint which is the main()
gef> disass
Dump of assembler code for function main:
=> 0x5655632f <+0>: endbr32
0x56556333 <+4>: lea ecx,[esp+0x4]
0x56556337 <+8>: and esp,0xfffffff0
...
* this displays the stack layout and begins at the function prologue
gef> step
gef> disass
Dump of assembler code for function main:
...
=> 0x5655634d <+30>: sub esp,0xc
0x56556350 <+33>: lea eax,[ebx-0x1f60]
0x56556356 <+39>: push eax
0x56556357 <+40>: call 0x565560a0 <puts@plt>
* after stepping this should bring you passed the main function's prologue
- now you can get the correct EBP address via "context regs" cmd
gef> context regs
$eax : ...
$ebx : ...
$ecx : ...
$edx : ...
$esp : ...
$ebp : 0xffffd0c8 -> 0x00000000
...
* note: EBP location doesn't change once the program is running
* keep "step"ing until the other function is reachedRETRIEVING VALUES & ADDRESS ON THE STACK
identify what's getting pushed onto the stack and what addresses those values are getting pushed on to
#start with the LOAD EFFECTIVE ADDRESS (LEA) and see what is getting put into eax
#e.g., lea eax, [ebp-0x10] //ebp-0x10 is getting put into eax
# push eax //eax is getting pushed onto the stack
* note: a stack has two cmds "PUSH" & "POP"
- this is your indication that the stack is being used
gef> si
$eax : 0xf7fac088 -> 0xffffd17c -> 0xffffd35a -> "SHELL=/bin/bash"
* this cmd "steps into" lea then the next step should be push eax
- you'll see what value is getting pushed from here
#find the first call to f1
gef> disass
...
push eax
call 0x565560a0 <puts@plt>
add esp, 0x10
call 0x5655620d <getNameLen>
call 0x5655626d <f1>
* remember: arguments gets pushed onto the stack in the reverse order that they are needed
- the last thing pushed onto the stack (0x5655620d <getNameLen> in this example is what f1 needs
- or is it push eax?
get> si
*
get> x /xw $ebpVIEWING STACK SPACE SIZE
This displays the stack space size after overwriting EIP with payload/shellcode
(gdb) info proc all
process 2143
warning: target file /proc/2143/cmdline contained unexpected null characters
cmdline = '/home/htb-student/bow'
cwd = '/home/htb-student'
exe = '/home/htb-student/bow'
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x56555000 0x56556000 0x1000 0x0 /home/htb-student/bow
0x56556000 0x56557000 0x1000 0x0 /home/htb-student/bow
0x56557000 0x56558000 0x1000 0x1000 /home/htb-student/bow
0xf7ded000 0xf7fbf000 0x1d2000 0x0 /lib32/libc-2.27.so
0xf7fbf000 0xf7fc0000 0x1000 0x1d2000 /lib32/libc-2.27.so
0xf7fc0000 0xf7fc2000 0x2000 0x1d2000 /lib32/libc-2.27.so
0xf7fc2000 0xf7fc3000 0x1000 0x1d4000 /lib32/libc-2.27.so
0xf7fc3000 0xf7fc6000 0x3000 0x0
0xf7fcf000 0xf7fd1000 0x2000 0x0
0xf7fd1000 0xf7fd4000 0x3000 0x0 [vvar]
0xf7fd4000 0xf7fd6000 0x2000 0x0 [vdso]
0xf7fd6000 0xf7ffc000 0x26000 0x0 /lib32/ld-2.27.so
0xf7ffc000 0xf7ffd000 0x1000 0x25000 /lib32/ld-2.27.so
0xf7ffd000 0xf7ffe000 0x1000 0x26000 /lib32/ld-2.27.so
0xfffdc000 0xffffe000 0x22000 0x0 [stack]
Name: bow
Umask: 0002
State: t (tracing stop)
Tgid: 2143
Ngid: 0
Pid: 2143
PPid: 2112
* 0xfffdc000 0xffffe000 0x21000 0x0 [stack]Last updated