From 541a979646a781eded04045ae4927e46c032ba9d Mon Sep 17 00:00:00 2001
From: Valentin Brandl <vbrandl@riseup.net>
Date: Mon, 16 Dec 2019 11:38:01 +0100
Subject: [PATCH] Realistic stack layouts

---
 work/dot/before.dot  |  4 ++--
 work/dot/call.dot    | 13 +++++++------
 work/dot/exploit.dot | 13 +++++++------
 3 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/work/dot/before.dot b/work/dot/before.dot
index 63b3926..209295a 100644
--- a/work/dot/before.dot
+++ b/work/dot/before.dot
@@ -3,8 +3,8 @@ digraph G {
     shape="plaintext"
     label=<
       <table border='1' cellborder='1'>
-        <tr><td>data1</td><td>0xFE</td><td>&lt;- SP</td></tr>
-        <tr><td>data1</td><td>0xFF</td><td>&lt;- BP</td></tr>
+        <tr><td>argc</td><td>0xFE</td><td>&larr; SP (main)</td></tr>
+        <tr><td>argv</td><td>0xFF</td><td>&larr; BP (main)</td></tr>
       </table>
   >];
 }
diff --git a/work/dot/call.dot b/work/dot/call.dot
index 5ddb455..341886c 100644
--- a/work/dot/call.dot
+++ b/work/dot/call.dot
@@ -3,13 +3,14 @@ digraph G {
     shape="plaintext"
     label=<
       <table border='1' cellborder='1'>
-        <tr><td>data2</td><td>0xF9</td><td>&lt;- SP</td></tr>
-        <tr><td>data2</td><td>0xFA</td><td>&lt;- BP</td></tr>
+        <tr><td>buf</td><td>0xC8</td><td>&larr; SP (vuln)</td></tr>
+        <tr><td>buf</td><td>...</td><td></td></tr>
+        <tr><td>buf</td><td>0xFA</td><td>&larr; BP (vuln)</td></tr>
         <tr><td>[old IP]</td><td>0xFB</td><td></td></tr>
-        <tr><td>*0xFE</td><td>0xFC</td><td></td></tr>
-        <tr><td>*0xFF</td><td>0xFD</td><td></td></tr>
-        <tr><td>data1</td><td>0xFE</td><td></td></tr>
-        <tr><td>data1</td><td>0xFF</td><td></td></tr>
+        <tr><td>[BP (main)]</td><td>0xFC</td><td></td></tr>
+        <tr><td>[*input]</td><td>0xFD</td><td></td></tr>
+        <tr><td>argc</td><td>0xFE</td><td></td></tr>
+        <tr><td>argv</td><td>0xFF</td><td></td></tr>
       </table>
   >];
 }
diff --git a/work/dot/exploit.dot b/work/dot/exploit.dot
index 6e9eb18..51ffdbf 100644
--- a/work/dot/exploit.dot
+++ b/work/dot/exploit.dot
@@ -3,13 +3,14 @@ digraph G {
     shape="plaintext"
     label=<
       <table border='1' cellborder='1'>
-        <tr><td>data2</td><td>0xF9</td><td>&lt;- SP</td></tr>
-        <tr><td>[payload]</td><td>0xFA</td><td>&lt;- BP</td></tr>
+        <tr><td>[payload]</td><td>0xC8</td><td>&larr; SP (vuln)</td></tr>
+        <tr><td>[payload]</td><td>...</td><td></td></tr>
+        <tr><td>[payload]</td><td>0xFA</td><td>&larr; BP (vuln)</td></tr>
         <tr><td>[controlled IP]</td><td>0xFB</td><td></td></tr>
-        <tr><td>*0xFE</td><td>0xFC</td><td></td></tr>
-        <tr><td>*0xFF</td><td>0xFD</td><td></td></tr>
-        <tr><td>data1</td><td>0xFE</td><td></td></tr>
-        <tr><td>data1</td><td>0xFF</td><td></td></tr>
+        <tr><td>[BP (main)]</td><td>0xFC</td><td></td></tr>
+        <tr><td>[*input]</td><td>0xFD</td><td></td></tr>
+        <tr><td>argc</td><td>0xFE</td><td></td></tr>
+        <tr><td>argv</td><td>0xFF</td><td></td></tr>
       </table>
   >];
 }

data1	0xFE	<- SP
data1	0xFF	<- BP
argc	0xFE	← SP (main)
argv	0xFF	← BP (main)
data2	0xF9	<- SP
data2	0xFA	<- BP
buf	0xC8	← SP (vuln)
buf	...
buf	0xFA	← BP (vuln)
[old IP]	0xFB
*0xFE	0xFC
*0xFF	0xFD
data1	0xFE
data1	0xFF
[BP (main)]	0xFC
[*input]	0xFD
argc	0xFE
argv	0xFF