RE: stack overflow help ..

$ gdb ./v1
GNU gdb Red Hat Linux (6.1post-1.20040607.43.0.1rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General
Public License, and you are
welcome to change it and/or distribute copies of it
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show
warranty" for details.
This GDB was configured as
"i386-redhat-linux-gnu"...(no debugging symbols
found)...Using host libthread_db library
"/lib/tls/libthread_db.so.1".

(gdb) run `perl -e 'print "A"x1039'`
Starting program:
/home/gaurav/test/challenges/challenges/buf/v1 `perl
-e 'print "A"x1039'`
Reading symbols from shared object read from target
memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0xbc7000
(no debugging symbols found)...(no debugging symbols
found)...
Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()
(gdb) info reg
ebp 0x41414141 0x41414141
eip 0x414141 0x414141
(gdb) info frame
Stack level 0, frame at 0xbffff354:
eip = 0x414141; saved eip 0x2
called by frame at 0xbffff358
Arglist at 0xbffff34c, args:
Locals at 0xbffff34c, Previous frame's sp is
0xbffff354
Saved registers:
eip at 0xbffff350
(gdb) run `perl -e 'print "A"x1040'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
warning: cannot close "shared object read from target
memory": File in wrong format

Starting program:
/home/gaurav/test/challenges/challenges/buf/v1 `perl
-e 'print "A"x1040'`
Reading symbols from shared object read from target
memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0xb43000
(no debugging symbols found)...(no debugging symbols
found)...
Program received signal SIGSEGV, Segmentation fault.
0x080483a2 in main ()
(gdb) info reg
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
gs 0x33 51
(gdb) info frame
Stack level 0, frame at 0x41414149:
eip = 0x80483a2 in main; saved eip Cannot access
memory at address 0x41414145
(gdb) run `perl -e 'print "A"x1041'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
warning: cannot close "shared object read from target
memory": File in wrong format

Starting program:
/home/gaurav/test/challenges/challenges/buf/v1 `perl
-e 'print "A"x1041'`
Reading symbols from shared object read from target
memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0x28d000
(no debugging symbols found)...(no debugging symbols
found)...
Program received signal SIGSEGV, Segmentation fault.
0x080483a2 in main ()
(gdb) info frame
Stack level 0, frame at 0x41414149:
eip = 0x80483a2 in main; saved eip Cannot access
memory at address 0x41414145
(gdb) info reg
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb)


--- "Krpata, Tyler" <tkrpata@xxxxxxx> wrote:

Do an "info frame" in gdb. Remember that you are
trying, actually, to
overwrite the *saved* EIP value.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of gaurav saha
Sent: Thursday, January 25, 2007 6:27 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: stack overflow help ..

Hi,
i am new to this stack overflow issue.

i am using fc3 (kernel 2.6.12-1.1381)

i have modified this few sysctl keys to these
values.

kernel.overflowgid = 0
kernel.overflowuid = 0
fs.overflowgid = 0
fs.overflowuid = 0
kernel.randomize_va_space = 0


i am still unable to overwrite EIP

========= vuln1.c ===========
int main(int argc, char **argv)
{
char buf[1024];
strcpy(buf, argv[1]);
return 0;
}
====== end of vuln1.c =======

$gcc -ggdb vuln1.c -o v1
$gdb ./v1
.
.
.
.
(gdb) run `perl -e 'print "A"x1024'`
Starting program:
/home/gaurav/test/challenges/challenges/buf/v1
`perl
-e 'print "A"x1024'`
Reading symbols from shared object read from
target
memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0xb5c000
(no debugging symbols found)...(no debugging
symbols
found)...
Program exited with code 0120.
(gdb) run `perl -e 'print "A"x1028'`
warning: cannot close "shared object read from
target
memory": File in wrong format
Starting program:
/home/gaurav/test/challenges/challenges/buf/v1
`perl
-e 'print "A"x1028'`
Reading symbols from shared object read from
target
memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0x247000
(no debugging symbols found)...(no debugging
symbols
found)...
Program exited with code 0100.
(gdb) run `perl -e 'print "A"x1036'`
warning: cannot close "shared object read from
target
memory": File in wrong format
Starting program:
/home/gaurav/test/challenges/challenges/buf/v1
`perl
-e 'print "A"x1036'`
Reading symbols from shared object read from
target
memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0x807000
(no debugging symbols found)...(no debugging
symbols
found)...
Program received signal SIGSEGV, Segmentation
fault.
0x00ac8e0d in __libc_start_main () from
/lib/tls/libc.so.6
(gdb) info reg
.
.
ebx 0xbdaff4 12431348
esp 0xbffff350 0xbffff350
ebp 0x41414141 0x41414141
esi 0xbffff3d4 -1073744940
edi 0xbffff360 -1073745056
eip 0xac8e0d 0xac8e0d
eflags 0x210286 2163334
.
.
(gdb) run `perl -e 'print "A"x1040'`
Program received signal SIGSEGV, Segmentation
fault.
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1044'`
Program received signal SIGSEGV, Segmentation
fault.
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1048'`
Program received signal SIGSEGV, Segmentation
fault.
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1052'`
Program received signal SIGSEGV, Segmentation
fault.
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1056'`
Program received signal SIGSEGV, Segmentation
fault.
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2

and this keeps continuing ... no matter how many i
increase ...
and i can't figure out what problem it is ...

thanks and adieu
----gaurav





________________________________________________________________________
__
__________
Now that's room service! Choose from over 150,000
hotels
in 45,000 destinations on Yahoo! Travel to find
your fit.
http://farechase.yahoo.com/promo-generic-14795097





____________________________________________________________________________________
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front

Relevant Pages

  • Re: XMMS or SCHED_ULE issue?
    ... Right after 'continue' in gdb, ... This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols ... Reading symbols from /usr/X11R6/lib/libXext.so.6...(no debugging symbols ... Loaded symbols for /usr/X11R6/lib/libXext.so.6 ...
    (freebsd-current)
  • RE: stack overflow help ..
    ... Do an "info frame" in gdb. ... (no debugging symbols found)...(no debugging symbols ... Program received signal SIGSEGV, Segmentation fault. ...
    (Security-Basics)
  • Re: Tcl Thread
    ... stuck for at least 5-7 minutes before I ran strace and gdb. ... Reading symbols from /usr/lib/libtcl8.5.so...(no debugging symbols ... Loaded symbols for /usr/lib/libtcl8.5.so ...
    (comp.lang.tcl)
  • Re: Tcl Thread
    ... stuck for at least 5-7 minutes before I ran strace and gdb. ... Reading symbols from /usr/lib/libtcl8.5.so...(no debugging symbols ... Loaded symbols for /usr/lib/libtcl8.5.so ...
    (comp.lang.tcl)
  • xfs Segfault
    ... segfaulting instead. ... (Been sneakily running on old fontpaths without my ... I tried gdb but don't know too much, ... (no debugging symbols found)...... ...
    (comp.os.linux.x)