Re: solaris gdb screen mayhem

[corecode <corecode () corecode ath cx>]

At 09:51 PM 8/29/2001, Antonomasia wrote:

> I've been attempting a white-hat "exploit" to run some demo code
> on the stack on Solaris.  The aim is to show whether the non-executable
> stack is in force (and the /etc/system file may not be a reliable guide
> to this if modified since last boot or something).
>
> So ideally I'd take a Solaris/sparc shellcode and modify "sh" to "id"
> and plant this in a program that deliberately overflows itself.  And this
> will be run on various machines periodically.

nice idea... so you want to check if your boxes are still in 
non-executable-stack state?
but you should write the "shellcode" on your own to fit your purposes. you 
don't need a shellcode.


> My problems arise when:
>
>    Having got "execution" of the illegal string "AAAAAAAA" I replace
>    it with downloaded shellcode and this disturbs the exploit so it
>    needs some adjustment.  I get a core dump from either SEGV or BUS
>    and in trying to find the program state with gdb it throws garbage
>    over the screen and is not recovered by "stty sane" or "reset".
>    I suppose I could wrap gdb in perl and allow only filtered chars to
>    my terminal.  What do other people do about this ?
>
>    Execution on a non-executable stack gets a SEGV.   Is there a way
>    the program can distinguish this from any other SEGV ?

why don't you try this one: it would be enough to call exit(1) in the 
"shellcode". so if the code on the stack gets executed, the program will 
return 1 (== shell false). install a signal(SIGSEGV) and signal(SIGBUS) 
handler that will exit(0);

good idea?

cheerz
  corecode

--
http://www.eikon.tum.de/~simons/security/