section .data
global _start_start:
push ebp
mov ebp,esp
sub esp, 8
mov DWORD [ebp-4], 4
mov DWORD [ebp-8], 4mov DWORD eax, [ebp-4]
mov ebx,0L1: cmp ebx,eax
jl L2mov eax, 0x01
mov ebx, ecx
int 0x80L2: add ebx, 1
add ecx, eax
jmp L1
Monthly Archives: June 2015
Basic assembly program in X86 -3 (Taking input through keyboard and printing)
section .text
global _start_start:
push ebp
mov ebp,esp
sub esp, 4; Read value using system call sys_read
mov eax, 0x03
mov ebx, 0x02
lea ecx, [ebp-4]
mov edx, 4
int 0x80
; Write value using system call sys_write
mov eax, 0x04
mov ebx, 0x01
lea ecx, [ebp-4]
mov edx, 4
int 0x80;Exiting the program using system call sys_exit
mov eax, 0x01
mov ebx, 0x00
int 0x80
Basic assembly program in X86 -2 (Adding two numbers)
section .text
global _start_start:
push ebp
mov ebp, esp
sub esp, 12
mov DWORD [ebp-4], 10
mov DWORD [ebp-8], 20
push DWORD [ebp-8]
push DWORD [ebp-4]
call add
mov [ebp-12], eax
mov eax, [ebp-12]mov eax, 1
mov ebx, [ebp-12]
int 0x80add:
push ebp
mov ebp,esp
sub esp, 4
mov eax, [ebp+8]
add eax, [ebp+12]
mov [ebp-4], eax
mov eax, [ebp-4]
mov esp, ebp
pop ebp
ret
Basic assembly program in X86 -1 (Printing “Hello World”)
This is my first code i wrote in assembly. 🙂
section .text
global _start_start:
push ebp
mov ebp,esp
push `rld`
push “d wo”
push “Hell”mov eax, 0x04
mov ebx, 0x01
lea ecx, [esp]
mov edx, 12
int 0x80 ;intruptmov eax, 0x01
mov ebx, 0x00
int 0x80
Over the Wire Narnia Level-2(Buffer Overflow )
To enter into level2, you need to pass level0 and level1. So password for solving level2 SUID is “nairiepecu”. This is simple buffer overflow problem.
So the main of this challange is to get the shell. So using “strcpy” we could overflow the buffer and get the shell. So firstly we should find the exact lenght from buffer to ebp using gdb debugger.
So what i did is, first i set the breakpoint at the instruction of strcpy function and than ran with some argument. Than i examined stack and find the address of buffer which is “0xffffd630”. Later i subtracted it with ebp’s address which is “0xffffd6c8. So length from buf and ebp is 136. So i tried running with 140 of ‘A’ and 4 ‘B’.
It exactly gave me (Segmentation fault) at [0x42424242]. Which means that we corectly overwritten eip with BBBB. So next step is to run the program with the shellcode.
So i have a 32 bit shell code which is of size 38. So now i can give stuff of 102 bytes, shell code and Buffer address.
narnia2@melinda:/narnia$ ./narnia2 $(python -c ‘print “A”*102 + “\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh”+ “\x30\xd6\xff\xff”‘)
$ whoami
narnia3
$ cat /etc/narnia_pass/narnia3
vaequeezee
So this gave me shell of 3rd level.