maride/barf
1
0
Fork 0
mirror of https://github.com/maride/barf.git synced 2024-10-18 06:26:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add persistent code snippets to examples

Browse Source
This commit is contained in:
maride 2021-06-11 18:50:34 +02:00
parent 11de20c5f3
commit 50aa2e7277
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
examples/double-trouble.c
View File

@ -21,6 +21,17 @@
// With the addresses identified above, we call barf with: // With the addresses identified above, we call barf with:
// ./barf.sh --positive-addr 0x5555555551f5 --win-addr 0x55555555523d --chunksize 2 ./double-trouble // ./barf.sh --positive-addr 0x5555555551f5 --win-addr 0x55555555523d --chunksize 2 ./double-trouble
// //
// While it is possible to solve chunksizes of 2 or even more without persistent mode, it is not avisable.
// Keep in mind that the persistent mode can speed up things around factor 8 or even more.
// So, as a quick exercise, we calculate a few more addresses required for persistent mode.
// Let's pick 0x00005555555551af as start address (right after fgets) and 0x0000555555555248 (ret) as end address.
// You need to debug the binary with GDB to find your buffer address, here it is at 0x7fffffffdef0.
//
// With those additional addresses, we can kickstart barf in persistent mode:
// ./barf.sh --positive-addr 0x00005555555551f5 --win-addr 0x000055555555523d --start-addr 0x00005555555551af --end-addr 0x0000555555555248 --persistent --buff-addr 0x7fffffffdef0 --chunksize 2 ./double-trouble
//
// Enjoy!! ;)
//
// Please note that your addresses will likely differ, e.g. if you edit the source file below. // Please note that your addresses will likely differ, e.g. if you edit the source file below.
#include <stdio.h> #include <stdio.h>

14
examples/single-char.c
View File

@ -20,6 +20,20 @@
// With the addresses identified above, we call barf with: // With the addresses identified above, we call barf with:
// ./barf.sh --negative-addr 0x5555555551c7 --win-addr 0x5555555551ec ./single-char // ./barf.sh --negative-addr 0x5555555551c7 --win-addr 0x5555555551ec ./single-char
// //
// Persistence Mode
// It is fast, it is easy to use, so why not use it?
// We need to have another look on the binary to find a few more addresses.
// The point directly after fgets() seems like a good value for the start-addr, at 0x5555555551a6.
// end-addr is even easier, let's choose the return point of main(), at 0x555555555218.
// To find out where the buffer is located, start the binary, fill nonsense (32*'A') into it and use gdb's
// `searchmem` command. You will quickly find out that the buffer sits at 0x7fffffffdf00 (stack).
//
// Eqipped with those shiny new values, we can run barf with:
// ./barf.sh --negative-addr 0x5555555551c7 --win-addr 0x5555555551ec --start-addr 0x5555555551a6 --end-addr 0x555555555218 --buff-addr 0x7fffffffdf00 --persistent ./single-char
//
// Can you notice any performance differences? ;)
//
//
// Please note that your addresses will likely differ, e.g. if you edit the source file below. // Please note that your addresses will likely differ, e.g. if you edit the source file below.
#include <stdio.h> #include <stdio.h>