Advertisement

stupid buffer overflow program doesnt work.. cant understand why..

Started by December 28, 2004 07:10 AM
34 comments, last by Genjix 19 years, 10 months ago
i compiled in hyperthreading when i upgraded to 2.6 :(. The only thing is if this where the case making a pointer point to a local variable and decrementing it shouldnt enable me to reach magic \177ELF,... should it?
A quick google doesn't suggest suse9.1 has any specil security features.

Therefore, I'm putting my money on two things.

1. Your shellcode is bad.
2. This line of code is completely wrong:
for(i = 0 ; i <= 601 ; i += sizeof(long))		(long)buffer = ret;
Advertisement
Quote: Original post by C-Junkie
A quick google doesn't suggest suse9.1 has any specil security features.

Therefore, I'm putting my money on two things.

1. Your shellcode is bad.
2. This line of code is completely wrong:
for(i = 0 ; i <= 601 ; i += sizeof(long))		(long)buffer = ret;


Yeah, that's an interesting point - that code doesn't look right to me either. I am used to doing something like

*((long *)&buffer) = ret;


Stepping through in a nice debugger is the best way to catch these kinds of errors, although looking through the disassembly is good too. The compiler might detect that you're changing registers in a function and push them onto the stack to save them.

Tom
"E-mail is for geeks and pedophiles." -Cruel Intentions
I tried your exploit and it just exited normally when vuln was called via execl. Your shellcode did some systemcall at the end (exit?)- Here's the disassembly of the shellcode:

 000006A0:iEB17                           jmps      file:000006B9          =&gt;[0]000006A2:i5E                             pop       esi                   000006A3:i897608                         mov       [esi+08],esi                 000006A6:i31C0                           xor       eax,eax                      000006A8:i884607                         mov       [esi+07],al                  000006AB:i89460C                         mov       [esi+0C],eax                 000006AE:iB00B                           mov       al,0B                        000006B0:i89F3                           mov       ebx,esi                      000006B2:i8D4E08                         lea       ecx,[esi+08]                 000006B5:i31D2                           xor       edx,edx                      000006B7:iCD80                           int       80                           000006B9:iE8E4FFFFFF                     calln     file:000006A2           =&gt;[1]
sizeof(long) = 4 or the size of a word, and just looking into my shellcode now and should have something in a little while.
Quote:
*((long *)&buffer) = ret;

isnt that the same as
	(long)buffer = ret;

im trying to atm find an assembly implementation of execve (syscall 11 or b)

[Edited by - Genjix on December 28, 2004 1:04:02 PM]
Quote: Original post by Genjix
(long)buffer = ret;

You can't cast lvalues like that, it has been deprecated by standard some time ago :)
Quote:
im trying to atm find an assembly implementation of execve (syscall 11 or b)

this should help you. http://www.lxhp.in-berlin.de/lhpsyscal.html
Note that you usually don't know absolute addresses of strings in memory, so you have to determine them. but you can determine them by using call and poping saved EIP adress from stack
Advertisement
In case you're intrested in addition information here's couple good links:
- Phrack.org: Smashing stack for fun and profit
- Defeating Solar Designer's Non-executable Stack Patch

Why do you determine the return address in the exploit.cpp like that? I mean, shouldn't you determine the return address via debugger when running the vuln and hardcode it in the shellcode or something?
Another question:

Wouldn't it be a whole lot easier to create non-executable buffer overflow exploit? Just create shellcode which contains the return address to a function and the parameters for it. For example when I compile and link vuln.cpp the execve gets loaded to address 0xa7f50df6. Use this address as return address...
i think the shellcode is wrong...

i used this shellcode instead (exit) and it didnt seg fault
/*7 byte  exit(); shellcode*/char scex[] =	"\x31\xc0"		"\x40"		"\x31\xdb"		"\xcd\x80";

im just going to try writing to stdout now (but im not sure if itll be successful because as harry_x said, im thinking of just including them in the text section in the shellcode and using a jmp).
Quote:
Wouldn't it be a whole lot easier to create non-executable buffer overflow exploit? Just create shellcode which contains the return address to a function and the parameters for it. For example when I compile and link vuln.cpp the execve gets loaded to address 0xa7f50df6. Use this address as return address...

so are you saying to jump to a function within exploit when i load vuln from within exploit?
Quote: Original post by Genjix
Quote:
Wouldn't it be a whole lot easier to create non-executable buffer overflow exploit? Just create shellcode which contains the return address to a function and the parameters for it. For example when I compile and link vuln.cpp the execve gets loaded to address 0xa7f50df6. Use this address as return address...

so are you saying to jump to a function within exploit when i load vuln from within exploit?


No. When you run vuln within exploit it is a new distinct process and they do not share memory in anyway. I'm saying that when vuln is loaded, the dynamic linker loads the _whole_ libc library also. The symbols of the library are located at static addresses so you can use debugger to look up the address of the symbol of your choice. With gdb you could just do: info address execve, to find address of execve.
Feed this address as return address for vulns main function and stick the parameters with it.

Usually when this technique is used one calls the mighty system function.

This topic is closed to new replies.

Advertisement