From 50aa2e7277ede96dd4618c80a728b1e28581c2d6 Mon Sep 17 00:00:00 2001 From: maride Date: Fri, 11 Jun 2021 18:50:34 +0200 Subject: [PATCH] Add persistent code snippets to examples --- examples/double-trouble.c | 11 +++++++++++ examples/single-char.c | 14 ++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/examples/double-trouble.c b/examples/double-trouble.c index 68de155..3a29829 100644 --- a/examples/double-trouble.c +++ b/examples/double-trouble.c @@ -21,6 +21,17 @@ // With the addresses identified above, we call barf with: // ./barf.sh --positive-addr 0x5555555551f5 --win-addr 0x55555555523d --chunksize 2 ./double-trouble // +// While it is possible to solve chunksizes of 2 or even more without persistent mode, it is not avisable. +// Keep in mind that the persistent mode can speed up things around factor 8 or even more. +// So, as a quick exercise, we calculate a few more addresses required for persistent mode. +// Let's pick 0x00005555555551af as start address (right after fgets) and 0x0000555555555248 (ret) as end address. +// You need to debug the binary with GDB to find your buffer address, here it is at 0x7fffffffdef0. +// +// With those additional addresses, we can kickstart barf in persistent mode: +// ./barf.sh --positive-addr 0x00005555555551f5 --win-addr 0x000055555555523d --start-addr 0x00005555555551af --end-addr 0x0000555555555248 --persistent --buff-addr 0x7fffffffdef0 --chunksize 2 ./double-trouble +// +// Enjoy!! ;) +// // Please note that your addresses will likely differ, e.g. if you edit the source file below. #include diff --git a/examples/single-char.c b/examples/single-char.c index b05a41f..f6145e0 100644 --- a/examples/single-char.c +++ b/examples/single-char.c @@ -20,6 +20,20 @@ // With the addresses identified above, we call barf with: // ./barf.sh --negative-addr 0x5555555551c7 --win-addr 0x5555555551ec ./single-char // +// Persistence Mode +// It is fast, it is easy to use, so why not use it? +// We need to have another look on the binary to find a few more addresses. +// The point directly after fgets() seems like a good value for the start-addr, at 0x5555555551a6. +// end-addr is even easier, let's choose the return point of main(), at 0x555555555218. +// To find out where the buffer is located, start the binary, fill nonsense (32*'A') into it and use gdb's +// `searchmem` command. You will quickly find out that the buffer sits at 0x7fffffffdf00 (stack). +// +// Eqipped with those shiny new values, we can run barf with: +// ./barf.sh --negative-addr 0x5555555551c7 --win-addr 0x5555555551ec --start-addr 0x5555555551a6 --end-addr 0x555555555218 --buff-addr 0x7fffffffdf00 --persistent ./single-char +// +// Can you notice any performance differences? ;) +// +// // Please note that your addresses will likely differ, e.g. if you edit the source file below. #include