Re: Cannot access memory at address 0x90909090
From: DownBload (downbload_at_hotmail.com)
Date: 09/12/03
- Previous message: B-r00t: "4D WebSTAR FTP Buffer Overflow."
- Maybe in reply to: Ingram: "Cannot access memory at address 0x90909090"
- Next in thread: . npguy: "Re: Cannot access memory at address 0x90909090"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 12 Sep 2003 09:11:14 -0000 To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <24403.1063282768@www35.gmx.net>
hi,
EIP is pointed to 0x90909090 because of wrong calculation. EIP is probably overwriten with 0x90909090 instead of valid return address where NOP's are in memory.
Stack looks like this:
[buffer][ebp][eip]
- What you've done is this:
buffer EBP EIP
[NOPNOPNOPNOPNOPNOPNOP][NOP][NOP]
When EIP is pop-ed from stack, EIP will point to instruction at memory address 0x90909090 and segfault signal will be delivered, because you can't access to 0x90909090.
- What you should do is this:
buffer EBP EIP
[NOPNOPNOPNOPNOP<SHELLCODE>][xxx][RET]
A |
| |
---------------------------
When EIP is pop-ed from stack, EIP will point to NOP array, and after NOP's, shellcode is executed.
>
>hi folks,
>
>little buffer overflow question, if i have a prog
>that segfaults like this:
>
>------------------------------------------------
>>./trapd -M `perl -e 'print "A" x 136'`
>Segmentation fault (core dumped)
>
>> gdb ./trapd ./trapd.core
>GNU gdb 4.18 (FreeBSD)
>.
>.
>.
>Core was generated by `trapd'.
>Program terminated with signal 11, Segmentation fault.
>Reading symbols from /usr/local/lib/libsnmp.so.4...(no debugging symbols
>found)...done.
>Reading symbols from /usr/lib/libcrypto.so.3...(no debugging symbols
>found)...done.
>Reading symbols from /usr/lib/libkvm.so.2...(no debugging symbols
>found)...done.
>Reading symbols from /usr/lib/libz.so.2...(no debugging symbols
>found)...done.
>Reading symbols from /usr/lib/libm.so.2...(no debugging symbols
>found)...done.
>Reading symbols from /usr/lib/libdevstat.so.2...(no debugging symbols
>found)...done.
>Reading symbols from /usr/lib/libwrap.so.3...(no debugging symbols
>found)...done.
>Reading symbols from /usr/lib/libc.so.4...(no debugging symbols
>found)...done.
>Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols
>found)...done.
>#0 0x41414141 in ?? ()
>(gdb) i reg
>eax 0xffffffff -1
>ecx 0xe 14
>edx 0xffffffff -1
>ebx 0x280bcde8 671862248
>esp 0xbfbff8a8 0xbfbff8a8
>ebp 0x41414141 0x41414141
>esi 0x8056100 134570240
>edi 0x0 0
>eip 0x41414141 0x41414141
>eflags 0x246 582
>cs 0x1f 31
>ss 0x2f 47
>ds 0x2f 47
>es 0x2f 47
>fs 0x2f 47
>gs 0x2f 47
>(gdb)
>------------------------------------------------
>
>...and after that want to exploit it with a common
>stack smash exploit, why does it say:
>
>------------------------------------------------
>#0 0x6e692e2f in ?? ()
>(gdb) bt
>#0 0x6e692e2f in ?? ()
>#1 0x90909090 in ?? ()
>Cannot access memory at address 0x90909090.
>(gdb) f 1
>#1 0x90909090 in ?? ()
>(gdb) i reg
>eax 0xffffffff -1
>ecx 0xe 14
>edx 0xffffffff -1
>ebx 0x280bcde8 671862248
>esp 0xbfbfd3f8 0xbfbfd3f8
>ebp 0x90909090 0x90909090
>esi 0x8055100 134566144
>edi 0x0 0
>eip 0x90909090 0x90909090
>eflags 0x246 582
>cs 0x1f 31
>ss 0x2f 47
>ds 0x2f 47
>es 0x2f 47
>fs 0x2f 47
>gs 0x2f 47
>(gdb) x/10i $pc
>0x90909090: Cannot access memory at address 0x90909090.
>(gdb) x/10i $eax
>0xffffffff: Cannot access memory at address 0xffffffff.
>(gdb) x/10i $eip
>0x90909090: Cannot access memory at address 0x90909090.
>(gdb) x/10i $ebp
>0x90909090: Cannot access memory at address 0x90909090.
>(gdb) x/10i $edi
>0x0: Cannot access memory at address 0x0.
>(gdb) x/10i $ecx
>0xe: Cannot access memory at address 0xe.
>(gdb) x/10i $esp
>0xbfbfd3f8: fs
>0xbfbfd3f9: gs
>0xbfbfd3fa: js 0xbfbfd3fc
>0xbfbfd3fc: (bad)
>0xbfbfd3fd: aaa
>0xbfbfd3fe: or (%eax),%ebp
>0xbfbfd400: push %eax
>0xbfbfd401: aam $0xffffffbf
>0xbfbfd403: mov $0x2807a630,%edi
>0xbfbfd408: call 0xe0e7dfda
>
>------------------------------------------------
>
>...if i replace '\x41\x41\x41\x41' with a valid address in my NOP space?
>Shouldn't the prog run
>through the NOPS until it reaches and executes the shellcode? Why isn't that
>the case here?
>It seems to jump, but can't execute \x90...!? I have no kernel protection or
>gcc patch.
>
>
>thanks & kind regards
>Ingram
>
>--
>COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test
>--------------------------------------------------
>1. GMX TopMail - Platz 1 und Testsieger!
>2. GMX ProMail - Platz 2 und Preis-Qualitätssieger!
>3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post
>
>
------------------------------------
DownBload / Illegal Instruction Labs
Security Research & Education
http://www.ii-labs.org
e-mail:downbload[at]hotmail.com
- Previous message: B-r00t: "4D WebSTAR FTP Buffer Overflow."
- Maybe in reply to: Ingram: "Cannot access memory at address 0x90909090"
- Next in thread: . npguy: "Re: Cannot access memory at address 0x90909090"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
