Re: Abo3 (can someone help me?)

From: Murat Balaban (murat_at_enderunix.org)
Date: 05/26/03

  • Next message: c0n: "Re: Abo3 (can someone help me?)" 
    Date: Mon, 26 May 2003 08:24:36 +0300
To: Discussion Lists <discussions@lagraphico.com>

    Hi,

    First of all you should read this: http://www.enderunix.org/docs/eng/bof-eng.txt

    On Sat, May 24, 2003 at 09:11:20PM -0700, Discussion Lists wrote:
    > The issue here is that there is an exit(1) at the end of the code. So
    > even if you were to overwrite the return address, it would not matter
    > because there is no return (if I understand correctly).

    Yep. However return address is not the only memory area you might be interested
    in overflowing. Function pointers, at_exit addresses etc. might be quite useful
    to change the execution flow of the vulnerable program. In this example, you're
    expected to overflow a function pointer fn.

    > is that we have to stick our shellcode in an environment variable, then
    > overwrite the address of that variable into the address of the fn()
    > function. So they lay out the following code to do it (questions
    > in-line):
    >

    Place your shellcode in an environment variable, so that you know exactly
    where it is. You're not overwriting env variable, you are overwriting buf
    and reach fn.

    > strlen("/home/user/gera/abo3");
    > /* That is what I don't get. First, what is the 0xbffffffa address? Is
    > that where supposedly the
    > ending address of the code when everything is pushed onto the stack? I
    > believe strlen calculates the
    > length of a string? If that is the case, why do they need to calculate

    If I say, you know the address of env variable, meaning that the address
    of our shellcode, you should've asked how? This part is the answer to
    that. Here you are calculating the address of the last environment variable.
    Again: read bof-eng.txt .

    - Murat

  • Next message: c0n: "Re: Abo3 (can someone help me?)"

    Relevant Pages

    • Re: [PATCH] Linux Kernel Markers
      ... I think it would be doable to overwrite a 5+ bytes instruction with ... the caller, rather than insert an extra jump in the callee, can we not ... Doesn't fix function pointers, etc, ...
      (Linux-Kernel)
    • Shattering SEH III
      ... we use to write our shellcode into a known writeable address. ... - sehHandler is the critical address to overwrite ... Try it out against any program with a progress bar ... Summer's Hottest Certification Just Got HOTTER! ...
      (NT-Bugtraq)
    • Shattering SEH III
      ... we use to write our shellcode into a known writeable address. ... - sehHandler is the critical address to overwrite ... Try it out against any program with a progress bar ... void doWrite(HWND hWnd, long tByte,long address); ...
      (Bugtraq)
    • [Full-Disclosure] Shattering SEH III
      ... we use to write our shellcode into a known writeable address. ... - sehHandler is the critical address to overwrite ... Try it out against any program with a progress bar ... void doWrite(HWND hWnd, long tByte,long address); ...
      (Full-Disclosure)
    • Shattering SEH II
      ... overwrite two bytes of a four byte critical address. ... We can use this method to write our shellcode into a known writeable ... void IterateWindows(long hWnd); ... Summer's Hottest Certification Just Got HOTTER! ...
      (NT-Bugtraq)