Is this exploitable?

From: Ingram (Vail_at_gmx.net)
Date: 05/22/03

  • Next message: KF: "Re: Is this exploitable?" 
    Date: Thu, 22 May 2003 16:55:18 +0200 (MEST)
To: vuln-dev@securityfocus.com

    hi folks,

    i recently found a possible vuln binary, which crashes with SIGSEV 11.
    I think this binary (tool written by a friend of mine) is exploitable, but
    the overflow is not happening in the register i expect them (or better, i
    know
    how to exploit ;)

    See the gdb dump:
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++
    develop# gdb -core delimma.core
    GNU gdb 4.18 (FreeBSD)
    Copyright 1998 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain
    conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for details.
    This GDB was configured as "i386-unknown-freebsd".
    Core was generated by `delimma'.
    Program terminated with signal 11, Segmentation fault.
    #0 0x280f166b in ?? ()
    (gdb) i r
    eax 0xbfbf33cc -1077988404
    ecx 0x41414141 1094795585
    edx 0xbfbf21dc -1077992996
    ebx 0x280fc00c 672120844
    esp 0xbfbf2158 0xbfbf2158
    ebp 0xbfbf2180 0xbfbf2180
    esi 0x280f7233 672100915
    edi 0x2 2
    eip 0x280f166b 0x280f166b
    eflags 0x202 514
    cs 0x1f 31
    ss 0x2f 47
    ds 0x2f 47
    es 0x2f 47
    fs 0x2f 47
    gs 0x2f 47
    (gdb) bt
    #0 0x280f166b in ?? ()
    #1 0x280d6664 in ?? ()
    #2 0x280d6858 in ?? ()
    #3 0x280d6d8c in ?? ()
    #4 0x280d12d9 in ?? ()
    #5 0x280d11d9 in ?? ()
    #6 0x804a8c2 in ?? ()
    #7 0x41414141 in ?? ()
    Cannot access memory at address 0x41414141.
    (gdb)
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++

    As you can see, the 0x41 have overwritten 'ecx'.

    My questions:

    1) Is this exploitable?
    2) What is ecx?
    3) Whats the diff between having 0x41 in eax, ebp, eip or ecx? Are they
    all exploitable?
    4) What kind of exploit (if possible) i have to craft to exploit this
    binary?

    many thanks in advantage! 

    -- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
  • Next message: KF: "Re: Is this exploitable?"

    Relevant Pages

    • Re: Fedora 9
      ... GNU gdb Fedora ... This is free software: you are free to change and redistribute it. ... There is NO WARRANTY, to the extent permitted by law. ... Program received signal SIGSEGV, Segmentation fault. ...
      (Fedora)
    • Re: Fedora 9
      ... GNU gdb Fedora ... This is free software: you are free to change and redistribute it. ... There is NO WARRANTY, to the extent permitted by law. ... Program received signal SIGSEGV, Segmentation fault. ...
      (Fedora)
    • Re: Fedora 9
      ... GNU gdb Fedora ... This is free software: you are free to change and redistribute it. ... There is NO WARRANTY, to the extent permitted by law. ... Program received signal SIGSEGV, Segmentation fault. ...
      (Fedora)
    • Stability issues / UFS based panic on recent CURRENT (03/22)
      ... Copyright 2004 Free Software Foundation, ... GDB is free software, covered by the GNU General Public License, and you are ... There is absolutely no warranty for GDB. ... #0 doadump at pcpu.h:246 ...
      (freebsd-current)
    • 2 core dumps
      ... GNU gdb 6.1.1 ... Copyright 2004 Free Software Foundation, ... There is absolutely no warranty for GDB. ... #0 doadump at pcpu.h:195 ...
      (freebsd-current)