Buffer overflows, return address and offset

From: Peter Bondra (kandm@cybermesa.com)
Date: 03/05/03

  • Next message: b0f www.b0f.net: "Re: gtali Segmentation fault"
    Date: 5 Mar 2003 14:58:47 -0000
    From: Peter Bondra <kandm@cybermesa.com>
    To: vuln-dev@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    I am testing the xlock vulnerability on a Sun Solaris 8(SPARC). In the
    process, I realized that I need help to determine the return addresses and
    offset. The code I scarfed off of the web worked as advertised on Solaris
    7(SPARC), but when I compiled/tested it on Solaris 8(SPARC), it
    segfaults. ALso, I do not get a core file...well I may have at one time
    or another.

    The exploit code is at: http://www.securiteam.com/exploits/5GP0D1F55W.html

    For testing purposes, we have stack execution enabled even though I
    believe the exploit is a heap-based buffer overflow.

    My question is: what steps should/could I take to determine the return
    address and other address-related variables, i.e, offsets, etc? More
    specifically, what gdb commands will help and how do I interpret the gdb
    output? Is "truss" useful to get the desired information and how do you
    use it? Finally, are there other tools that are useful? My fellow
    emloyees are suggesting that I use a loop and guess at the values until I
    get the desired result...

    Thank you

  • Next message: b0f www.b0f.net: "Re: gtali Segmentation fault"