Re: controlling ebp/eip of a frame, does it always lead to possible code execution?
From: deepcode . (pondermate_at_hotmail.com)
Date: 09/18/03
- Previous message: Ingram: "Re: controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Maybe in reply to: Ingram: "controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Next in thread: Steven Hill: "Re: controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Vail@gmx.net, vuln-dev@securityfocus.com Date: Thu, 18 Sep 2003 13:38:50 -0300
By the looks of it, you are doing everything right. Your overwritten return
address points
directly to your nop's. The shellcode should be executed.
What OS are you on, you may have aditional stack protections on the system
to prevent
standard overflows, particularly redhat 9 (shrike), which i'm using now,
will prevent this: not
sure exactly how yet ...
If anyone has any info on shrikes new protection mechanism, feel free to
reply.
>From: Ingram <Vail@gmx.net>
>To: vuln-dev@securityfocus.com
>Subject: controlling ebp/eip of a frame, does it always lead to possible
>code execution?
>Date: Thu, 18 Sep 2003 16:49:26 +0200 (MEST)
>
>hello,
>
>again i have a little question about buffer overflows,
>that i could not figure out by myself.
>
>If i can control what is written to ebp and eip, i thought
>that this always would be enough to execute shellcode,
>...it seems not:
>
> >./exploit
>Segmentation fault (core dumped)
> >gdb ./myprog ./myprog.core
>
>.
>.
>.
>(gdb) bt
>#0 0x280e8cfa in vfprintf () from /usr/lib/libc.so.4
>#1 0x280da116 in sprintf () from /usr/lib/libc.so.4
>#2 0x8048eda in main ()
>#3 0x41414141 in ?? ()
>Cannot access memory at address 0x42424242.
>(gdb) f 3
>#3 0x41414141 in ?? ()
>(gdb) i reg
>eax 0x0 0
>ecx 0xffffffff -1
>edx 0x280e8c4c 672042060
>ebx 0x3 3
>esp 0xbfbfec48 0xbfbfec48
>ebp 0x42424242 0x42424242 <---- defined by me
>esi 0xbfbff7ac -1077938260
>edi 0xbfbff7bc -1077938244
>eip 0x41414141 0x41414141 <---- defined by me
>eflags 0x286 646
>cs 0x1f 31
>ss 0x2f 47
>ds 0x2f 47
>es 0x2f 47
>fs 0x2f 47
>gs 0x2f 47
>
>Now, i seek my nops:
>(gdb)x/2000x $esp
>.
>.
>.
>0xbfbff438: 0x90909090 0x90909090 0x90909090 0x90909090
>0xbfbff448: 0x90909090 0x90909090 0x90909090 0x90909090
>0xbfbff458: 0x90909090 0x90909090 0x90909090 0x90909090
>0xbfbff468: 0x90909090 0x90909090 0x90909090 0x90909090
>.
>.
>.
>
>and finally replace the 0x41414141 and 0x42424242 with
>a valid address (0xbfbff448) and execute the exploit again:
>
>./exploit_with_real_addr
>(gdb) bt
>#0 0x280e8cfa in vfprintf () from /usr/lib/libc.so.4
>#1 0x280da116 in sprintf () from /usr/lib/libc.so.4
>#2 0x8048eda in main ()
>#3 0xbfbff448 in ?? ()
>#4 0x90909090 in ?? () <---- a new frame ? Why ?
>Cannot access memory at address 0x90909090.
>(gdb) f 3
>#3 0xbfbff448 in ?? ()
>(gdb) i reg
>eax 0x0 0
>ecx 0xffffffff -1
>edx 0x280e8c4c 672042060
>ebx 0x3 3
>esp 0xbfbfec48 0xbfbfec48
>ebp 0xbfbff448 0xbfbff448 <--- it worked !?
>esi 0xbfbff7ac -1077938260
>edi 0xbfbff7bc -1077938244
>eip 0xbfbff448 0xbfbff448 <--- it worked !?
>eflags 0x286 646
>cs 0x1f 31
>ss 0x2f 47
>ds 0x2f 47
>es 0x2f 47
>fs 0x2f 47
>gs 0x2f 47
>(gdb) x 0xbfbff448
>0xbfbff448: 0x90909090 <--- still points to NOP
>(gdb) x/10i $eip
>0xbfbff448: nop
>0xbfbff449: nop
>0xbfbff44a: nop
>0xbfbff44b: nop
>0xbfbff44c: nop
>0xbfbff44d: nop
>0xbfbff44e: nop
>0xbfbff44f: nop
>0xbfbff450: nop
>0xbfbff451: nop
>(gdb) x/10i $ebp
>0xbfbff448: nop
>0xbfbff449: nop
>0xbfbff44a: nop
>0xbfbff44b: nop
>0xbfbff44c: nop
>0xbfbff44d: nop
>0xbfbff44e: nop
>0xbfbff44f: nop
>0xbfbff450: nop
>0xbfbff451: nop
>
>Hmmm, here i am lost. I thought, if i can control the flow, and replace
>eip/ebp with valid addresses, that point to my nop space, my shellcode
>should get executed... what is happening here!?
>
>Here some additional info:
>
>(gdb) bt
>#0 0x280e8cfa in vfprintf () from /usr/lib/libc.so.4
>#1 0x280da116 in sprintf () from /usr/lib/libc.so.4
>#2 0x8048eda in main ()
>#3 0xbfbff448 in ?? ()
>#4 0x90909090 in ?? ()
>Cannot access memory at address 0x90909090.
>(gdb) f 4
>#4 0x90909090 in ?? ()
>(gdb) i reg
>eax 0x90909090 -1869574000
>ecx 0x90909090 -1869574000
>edx 0x90909090 -1869574000
>ebx 0x90909090 -1869574000
>esp 0xbfbff434 0xbfbff434
>ebp 0x90909090 0x90909090
>esi 0x90909090 -1869574000
>edi 0x90909090 -1869574000
>eip 0x90909090 0x90909090
>eflags 0x90909090 -1869574000
>cs 0x90909090 -1869574000
>ss 0x90909090 -1869574000
>ds 0x90909090 -1869574000
>es 0x90909090 -1869574000
>fs 0x90909090 -1869574000
>gs 0x90909090 -1869574000
>(gdb) x/10i $esp
>0xbfbff434: nop
>0xbfbff435: nop
>0xbfbff436: nop
>0xbfbff437: nop
>0xbfbff438: nop
>0xbfbff439: nop
>0xbfbff43a: nop
>0xbfbff43b: nop
>0xbfbff43c: nop
>0xbfbff43d: nop
>(gdb) x 0xbfbff434
>0xbfbff434: nop
>
>i also tried to replace the suddenly existing eip/ebp of frame 4,
>but after doing that i just "open" another frame like this...
>
>kind regards & thanks in advantage
>Ingram
>
>
>
>
>
>
>
>
>
>
>
>
>
>--
>+++ GMX - die erste Adresse für Mail, Message, More! +++
>
>Getestet von Stiftung Warentest: GMX FreeMail (GUT), GMX ProMail (GUT)
>(Heft 9/03 - 23 e-mail-Tarife: 6 gut, 12 befriedigend, 5 ausreichend)
>
>Jetzt selbst kostenlos testen: http://www.gmx.net
>
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
- Previous message: Ingram: "Re: controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Maybe in reply to: Ingram: "controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Next in thread: Steven Hill: "Re: controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
