Basic Linux exploits: Function Calling Procedure


Note: Hacking is not a joke so please keep patience and learn it step by step.

Note: Before reading this post you must read :

Function Calling Procedure

As we defined in our previous post functions are group of some codes that together performs a certain task and is called by other functions, including the main( ) function . This call causes a jump in the flow of the program .

What happens when a function is called in assembly language code ??

  1. By convention , the function calling program sets up the function parameters on the stack in the reverse order.
  2. eip is saved on the stack to give the next instruction from where it left off (return address).
  3. Finally function call is executed and the address to next instruction is stored in eip.

A Look at the assembly code

Note: Assembly code below is produced using gdb(debugger) , follow the below steps
  • Write a program  in c and compile it using gcc -fno-stack-protector option below is the simple code intest.c
    #include  int main(int argc, char *argv[])
               {
                  printf(“Welcome from Buffercode \n Hello %s %s\n”,argv[1],argv[2]);
                  return 0;
             }
  • Open terminal
  • Type command root@gAmer:~#gdb -q test.c
  • (gdb) disassemble main
  • Below is the output in assembly code
    Output:
    Dump of assembler code for function main:
    0x000000000040050c <+0>: push %rbp
      0x000000000040050d <+1>: mov %rsp,%rbp
      0x0000000000400510 <+4>: sub $0x10,%rsp
      0x0000000000400514 <+8>: mov %edi,-0x4(%rbp)
      0x0000000000400517 <+11>: mov %rsi,-0x10(%rbp)
      0x000000000040051b <+15>: mov -0x10(%rbp),%rax
      0x000000000040051f <+19>: add $0x10,%rax
      0x0000000000400523 <+23>: mov (%rax),%rdx
      0x0000000000400526 <+26>: mov -0x10(%rbp),%rax
      0x000000000040052a <+30>: add $0x8,%rax
      0x000000000040052e <+34>: mov (%rax),%rax
      0x0000000000400531 <+37>: mov %rax,%rsi
      0x0000000000400534 <+40>: mov $0x400600,%edi
      0x0000000000400539 <+45>: mov $0x0,%eax
      0x000000000040053e <+50>: callq 0x4003e0 
      0x0000000000400543 <+55>: mov $0x0,%eax
      0x0000000000400548 <+60>: leaveq 
      0x0000000000400549 <+61>: retq
    End of assembler dump.
So if you are familiar with assembly code you can easily understand it or if you can’t please tell us so that we will guide you .
You will see these stuffs of assembly code over and over while looking for buffer-code overflows during exploits , so please make sure that you are able to understand this stuff . If got stuck anywhere please comment here , or create a topic on our forum after loging in .