Code Supplement

Thanks for your answers, according to your feedback, I knew that I should supply more code for your to help me draw the map of stack before and after buffer overflow. Now, the relevant codes are here.

First, the principle of the buffer overflow in the script is that, in the function hedwig_main, there exists a sub-function sess_get_uid which extracts cookie value from the head of HTTP and doesn’t test the length of cookie value. Then, another function sobj_get_string also extracts the cookie value without testing it’s length. The value of cookie then be used as a parameter of the function sprintf which located in 0x0040997C formatted onto the stack.
Second, I supply the code refer to the result of IDA Pro.

• Code of the function sess_get_uid
  .globl sess_get_uid sess_get_uid: var_30= -0x30 var_28= -0x28 var_24= -0x24 var_20= -0x20 var_1C= -0x1C var_18= -0x18 var_14= -0x14 var_10= -0x10 var_C= -0xC var_8= -8 var_4= -4 lui $gp, 0x43 addiu $sp, -0x40 li $gp, 0x4346D0 sw $ra, 0x40+var_4($sp) sw $fp, 0x40+var_8($sp) sw $s7, 0x40+var_C($sp) sw $s6, 0x40+var_10($sp) sw $s5, 0x40+var_14($sp) sw $s4, 0x40+var_18($sp) sw $s3, 0x40+var_1C($sp) sw $s2, 0x40+var_20($sp) sw $s1, 0x40+var_24($sp) sw $s0, 0x40+var_28($sp) sw $gp, 0x40+var_30($sp) la $t9, sobj_new nop jalr $t9 ; sobj_new move $s6, $a0 lw $gp, 0x40+var_30($sp) nop la $t9, sobj_new nop jalr $t9 ; sobj_new move $s2, $v0 lw $gp, 0x40+var_30($sp) lui $a0, 0x42 la $t9, getenv la $a0, aHttp_cookie # "HTTP_COOKIE" jalr $t9 ; getenv move $s3, $v0 lw $gp, 0x40+var_30($sp) beqz $s2, loc_407EE0 lui $a0, 0x42
• Code of the function sobj_get_string
  la $t9, sobj_get_string nop jalr $t9 ; sobj_get_string move $a0, $s5 lw $gp, 0x4E8+var_4D8($sp) lui $a1, 0x42 la $t9, sprintf move $a3, $v0 move $a2, $s2 la $a1, aSSPostxml # "%s/%s/postxml" jalr $t9 ; sprintf move $a0, $s1 # s lw $gp, 0x4E8+var_4D8($sp) move $a2, $s1 la $t9, xmldbc_del move $a0, $zero jalr $t9 ; xmldbc_del move $a1, $zero lw $gp, 0x4E8+var_4D8($sp) lui $a0, 0x42 la $t9, fopen lui $a1, 0x42 la $a0, aVarTmpTemp_xml # "/var/tmp/temp.xml" jalr $t9 ; fopen la $a1, aW # "w" lw $gp, 0x4E8+var_4D8($sp) bnez $v0, loc_4096D4 move $s2, $v0
• Code of the function sprintf in 0x0040997C
  jalr $t9 ; remove addiu $s0, $sp, 0x4E8+var_428 lw $gp, 0x4E8+var_4D8($sp) nop la $t9, sobj_get_string nop jalr $t9 ; sobj_get_string move $a0, $s5 lw $gp, 0x4E8+var_4D8($sp) lui $a1, 0x42 la $t9, sprintf lui $a2, 0x42 la $a1, aHtdocsWebincFa # "/htdocs/webinc/fatlady.php\nprefix=%s/%"... la $a2, aRuntimeSession # "/runtime/session" move $a3, $v0 jalr $t9 ; sprintf move $a0, $s0 # s lw $gp, 0x4E8+var_4D8($sp) move $a2, $s0 la $v0, stdout la $t9, xmldbc_ephp lw $a3, (stdout - 0x42E340)($v0) move $a0, $zero jalr $t9 ; xmldbc_ephp move $a1, $zero lw $gp, 0x4E8+var_4D8($sp) beqz $s7, loc_4099CC lui $v0, 0x43
  All these are what I think you may need. If you think that you need more code to help me draw the map, here is the link that exists buffer overflow, you can go to the link address and download it. Link is here:[ADDRESS] (http://pan.baidu.com/s/1qWWS7ec)
  Thanks for you reading and answering!