Re: Buffer Overflow Help

From: Geoffroy Raimbault (graimbault@lynx-technologies.com)
Date: 07/31/02 

From: "Geoffroy Raimbault" <graimbault@lynx-technologies.com>
To: "jmiller" <secadmin@subversive.cc>
Date: Wed, 31 Jul 2002 18:34:11 +0200

In fact, you don't really modify x, but you modify the saved EIP of
"function()" to jump after the piece of code that set x to 1 : "movl
$0x1,0xfffffffc(%ebp)" so that you really "bypass" the "x=1" statement.

Concerning the problem of Leonard, it's may be due to the size affected by
gcc to the local variables when it have to make a 4-bytes alignement.
Normally it should allocate 8 bytes for char buffer1[5] (you round to the
next multiple of 4 bytes to have a 4-byte alignment). Sometimes, gcc doesn't
round as expected. You should try this code, which allocate 8 bytes for
buffer1, and so, no problems of alignment.

You should also take a look at Vuln Dev, a recent discussion treated of this
problem.

void function(int a, int b, int c)
{
          char buffer1[8]; // Allocate 8 bytes for buffer1
          int *ret;
          ret = buffer1 + 12; // after that, ret points to saved EIP
          (*ret) += 8; // you modify saved EIP to jump the "x=1" statement
}

void main() {
          int x;
          x=0;
            function(1,2,3);
            x=1;
            printf("x= %d\n",x);
}

Geof

----- Original Message -----
From: "jmiller" <secadmin@subversive.cc>
Cc: <pen-test@securityfocus.com>
Sent: Wednesday, July 31, 2002 8:54 AM
Subject: Re: Buffer Overflow Help

> <snip>
>
> > > The following example should bypass the "x=1" statement and print the
> > > original value of "x" which is 0 (zero). Here's the code.
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=
> > > void function(int a, int b, int c) {
> > > char buffer1[5];
> > > char buffer2[10];
> > > int *ret;
> > >
> > > ret = buffer1 + 12;
> > > (*ret) += 8;
> > > }
>
> i am failing to see how this should bypass anything,
> it is all byval, not byref. this function is isolated from your prog.
> bufffer1, buffer2, and ret are all dissapearing when the function is
done...
>
> i am also failing to see how the function would affect x at all.
>
> JMiller
>
>
> > >
> > > void main() {
> > > int x;
> > >
> > > x=0;
> > > function(1,2,3);
> > > x=1;
> > > printf("%d\n",x);
> > > }
> > > -=-=-=-=-=-=-=-=-=-=-=-=
> > >
> > > When I compile and execute this code it displays one and exits. I have
> tryed
> > > this on RedHat 7.3 and Debian 2.2r6, both giving me the same result.
> Does
> > > anyone have any insight into why this wouldn't work? After looking
into
> the
> > > assembly behind it, I think it has something to do with the "word
size",
> but
> > > can't seem to find any information as to what the "word size" is in
> Debian
> > > or RedHat.
> > >
> > > Any and All comments/suggestions are more than welcome. Also if anyone
> knows
> > > of some other good text files/documents that talk about buffer
overflows
> I
> > > would be happy to receive links.
> > >
> > > Leonard Leblanc
> > >
> > >
> > >
> >
>
> --------------------------------------------------------------------------
> --
> > > This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> > > Service. For more information on SecurityFocus' SIA service which
> > > automatically alerts you to the latest security vulnerabilities please
> see:
> > > https://alerts.securityfocus.com/
> > >
> > >
> > >
> >
> >
> > --
> >
> > Public-key [ http://home.no.net/jullum/ejl.asc ]
> >
> >
>
> --------------------------------------------------------------------------
> --
> > This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities please
> see:
> > https://alerts.securityfocus.com/
> >
>
>
> -------------------------------------------------------------------------- 

--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: (citrix testing)
    ... For more information on SecurityFocus' SIA service which ... >- This list is provided by the SecurityFocus Security Intelligence Alert ... > automatically alerts you to the latest security vulnerabilities please ...
    (Pen-Test)
  • Re: Need Novell vuln. scanner ASAP!
    ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... > automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • Re: IIS HTR Exploit ?
    ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ... automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • Re: How to aggregate output of NMAP
    ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... >> This list is provided by the SecurityFocus Security Intelligence Alert ... >> automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • Re: ettercap help
    ... Anyways have never tried Ettercap for VNC. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)