Re: Is this exploitable?

• Previous message: Ingram: "Is this exploitable?"
• In reply to: Ingram: "Is this exploitable?"
• Next in thread: sin: "Re: Is this exploitable?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 May 2003 11:44:25 -0500
To: Ingram <Vail@gmx.net>

Try typing "frame 7" and then do "i r" and see if you get the desired
overwritten registers. Note that frame 7 has the eip overwritten with
0x41414141.

#7 0x41414141 in ?? ()
Cannot access memory at address 0x41414141.

-KF

Ingram wrote:

>hi folks,
>
>i recently found a possible vuln binary, which crashes with SIGSEV 11.
>I think this binary (tool written by a friend of mine) is exploitable, but
>the overflow is not happening in the register i expect them (or better, i
>know
>how to exploit ;)
>
>See the gdb dump:
>++++++++++++++++++++++++++++++++++++++++++++++++++++++
>develop# gdb -core delimma.core
>GNU gdb 4.18 (FreeBSD)
>Copyright 1998 Free Software Foundation, Inc.
>GDB is free software, covered by the GNU General Public License, and you are
>welcome to change it and/or distribute copies of it under certain
>conditions.
>Type "show copying" to see the conditions.
>There is absolutely no warranty for GDB. Type "show warranty" for details.
>This GDB was configured as "i386-unknown-freebsd".
>Core was generated by `delimma'.
>Program terminated with signal 11, Segmentation fault.
>#0 0x280f166b in ?? ()
>(gdb) i r
>eax 0xbfbf33cc -1077988404
>ecx 0x41414141 1094795585
>edx 0xbfbf21dc -1077992996
>ebx 0x280fc00c 672120844
>esp 0xbfbf2158 0xbfbf2158
>ebp 0xbfbf2180 0xbfbf2180
>esi 0x280f7233 672100915
>edi 0x2 2
>eip 0x280f166b 0x280f166b
>eflags 0x202 514
>cs 0x1f 31
>ss 0x2f 47
>ds 0x2f 47
>es 0x2f 47
>fs 0x2f 47
>gs 0x2f 47
>(gdb) bt
>#0 0x280f166b in ?? ()
>#1 0x280d6664 in ?? ()
>#2 0x280d6858 in ?? ()
>#3 0x280d6d8c in ?? ()
>#4 0x280d12d9 in ?? ()
>#5 0x280d11d9 in ?? ()
>#6 0x804a8c2 in ?? ()
>#7 0x41414141 in ?? ()
>Cannot access memory at address 0x41414141.
>(gdb)
>++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>As you can see, the 0x41 have overwritten 'ecx'.
>
>My questions:
>
>1) Is this exploitable?
>2) What is ecx?
>3) Whats the diff between having 0x41 in eax, ebp, eip or ecx? Are they
>all exploitable?
>4) What kind of exploit (if possible) i have to craft to exploit this
>binary?
>
>many thanks in advantage!
>
>
>
>

• Previous message: Ingram: "Is this exploitable?"
• In reply to: Ingram: "Is this exploitable?"
• Next in thread: sin: "Re: Is this exploitable?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages 7.0-CURRENT ppp related panic ... GNU gdb 6.1.1 ... Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. ... #8 0xffffffff805c33a1 in trap (frame= ... sio0: type 16550A sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled ... (freebsd-current) watchdogd_flags followed by panic watchdog timeout, after reboot my rc.conf disappear ... I restarted watchdogd deamon at once. ... # kgdb kernel.debug /var/crash/vmcore.0 ... GDB is free software, covered by the GNU General Public License, and you are ... Previous frame inner to this frame ... (freebsd-stable) watchdogd_flags followed by panic watchdog timeout, after reboot my rc.conf disappear ... I restarted watchdogd deamon at once. ... # kgdb kernel.debug /var/crash/vmcore.0 ... GDB is free software, covered by the GNU General Public License, and you are ... Previous frame inner to this frame ... (freebsd-current) Re: panic with RELENG_6, 2005-11-09 source ... GDB is free software, covered by the GNU General Public License, and you are ... #0 doadump at pcpu.h:165 ... Previous frame identical to this frame ... (freebsd-stable) Crash dump help ... GNU gdb 6.1.1 ... #0 doadump at pcpu.h:165 ... #23 0xc0811587 in syscall (frame= ... (freebsd-stable)