stupid buffer overflow program doesnt work.. cant understand why..
i compiled in hyperthreading when i upgraded to 2.6 :(. The only thing is if this where the case making a pointer point to a local variable and decrementing it shouldnt enable me to reach magic \177ELF,... should it?
A quick google doesn't suggest suse9.1 has any specil security features.
Therefore, I'm putting my money on two things.
1. Your shellcode is bad.
2. This line of code is completely wrong:
Therefore, I'm putting my money on two things.
1. Your shellcode is bad.
2. This line of code is completely wrong:
for(i = 0 ; i <= 601 ; i += sizeof(long)) (long)buffer = ret;
Quote: Original post by C-Junkie
A quick google doesn't suggest suse9.1 has any specil security features.
Therefore, I'm putting my money on two things.
1. Your shellcode is bad.
2. This line of code is completely wrong:for(i = 0 ; i <= 601 ; i += sizeof(long)) (long)buffer = ret;
Yeah, that's an interesting point - that code doesn't look right to me either. I am used to doing something like
*((long *)&buffer) = ret;
Stepping through in a nice debugger is the best way to catch these kinds of errors, although looking through the disassembly is good too. The compiler might detect that you're changing registers in a function and push them onto the stack to save them.
Tom
"E-mail is for geeks and pedophiles." -Cruel Intentions
I tried your exploit and it just exited normally when vuln was called via execl. Your shellcode did some systemcall at the end (exit?)- Here's the disassembly of the shellcode:
000006A0:iEB17 jmps file:000006B9 =>[0]000006A2:i5E pop esi 000006A3:i897608 mov [esi+08],esi 000006A6:i31C0 xor eax,eax 000006A8:i884607 mov [esi+07],al 000006AB:i89460C mov [esi+0C],eax 000006AE:iB00B mov al,0B 000006B0:i89F3 mov ebx,esi 000006B2:i8D4E08 lea ecx,[esi+08] 000006B5:i31D2 xor edx,edx 000006B7:iCD80 int 80 000006B9:iE8E4FFFFFF calln file:000006A2 =>[1]
sizeof(long) = 4 or the size of a word, and just looking into my shellcode now and should have something in a little while.
isnt that the same as
im trying to atm find an assembly implementation of execve (syscall 11 or b)
[Edited by - Genjix on December 28, 2004 1:04:02 PM]
Quote:
*((long *)&buffer) = ret;
isnt that the same as
(long)buffer = ret;
im trying to atm find an assembly implementation of execve (syscall 11 or b)
[Edited by - Genjix on December 28, 2004 1:04:02 PM]
Quote: Original post by Genjix
(long)buffer = ret;
You can't cast lvalues like that, it has been deprecated by standard some time ago :)
Quote:
im trying to atm find an assembly implementation of execve (syscall 11 or b)
this should help you. http://www.lxhp.in-berlin.de/lhpsyscal.html
Note that you usually don't know absolute addresses of strings in memory, so you have to determine them. but you can determine them by using call and poping saved EIP adress from stack
In case you're intrested in addition information here's couple good links:
- Phrack.org: Smashing stack for fun and profit
- Defeating Solar Designer's Non-executable Stack Patch
Why do you determine the return address in the exploit.cpp like that? I mean, shouldn't you determine the return address via debugger when running the vuln and hardcode it in the shellcode or something?
- Phrack.org: Smashing stack for fun and profit
- Defeating Solar Designer's Non-executable Stack Patch
Why do you determine the return address in the exploit.cpp like that? I mean, shouldn't you determine the return address via debugger when running the vuln and hardcode it in the shellcode or something?
Another question:
Wouldn't it be a whole lot easier to create non-executable buffer overflow exploit? Just create shellcode which contains the return address to a function and the parameters for it. For example when I compile and link vuln.cpp the execve gets loaded to address 0xa7f50df6. Use this address as return address...
Wouldn't it be a whole lot easier to create non-executable buffer overflow exploit? Just create shellcode which contains the return address to a function and the parameters for it. For example when I compile and link vuln.cpp the execve gets loaded to address 0xa7f50df6. Use this address as return address...
i think the shellcode is wrong...
i used this shellcode instead (exit) and it didnt seg fault
im just going to try writing to stdout now (but im not sure if itll be successful because as harry_x said, im thinking of just including them in the text section in the shellcode and using a jmp).
so are you saying to jump to a function within exploit when i load vuln from within exploit?
i used this shellcode instead (exit) and it didnt seg fault
/*7 byte exit(); shellcode*/char scex[] = "\x31\xc0" "\x40" "\x31\xdb" "\xcd\x80";
im just going to try writing to stdout now (but im not sure if itll be successful because as harry_x said, im thinking of just including them in the text section in the shellcode and using a jmp).
Quote:
Wouldn't it be a whole lot easier to create non-executable buffer overflow exploit? Just create shellcode which contains the return address to a function and the parameters for it. For example when I compile and link vuln.cpp the execve gets loaded to address 0xa7f50df6. Use this address as return address...
so are you saying to jump to a function within exploit when i load vuln from within exploit?
Quote: Original post by GenjixQuote:
Wouldn't it be a whole lot easier to create non-executable buffer overflow exploit? Just create shellcode which contains the return address to a function and the parameters for it. For example when I compile and link vuln.cpp the execve gets loaded to address 0xa7f50df6. Use this address as return address...
so are you saying to jump to a function within exploit when i load vuln from within exploit?
No. When you run vuln within exploit it is a new distinct process and they do not share memory in anyway. I'm saying that when vuln is loaded, the dynamic linker loads the _whole_ libc library also. The symbols of the library are located at static addresses so you can use debugger to look up the address of the symbol of your choice. With gdb you could just do: info address execve, to find address of execve.
Feed this address as return address for vulns main function and stick the parameters with it.
Usually when this technique is used one calls the mighty system function.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement