Re: exploit coding

[Sebastian <scut () nb in-berlin de>]

Hi.


On Sun, Jun 17, 2001 at 09:34:13PM +0200, roland kwitt wrote:

> the variable is now no longer in first place. in my last exploit i used
> the function sp() to get the stack pointer and wanted the user to enter
> the offset. Now i calculated the return address subtraction the offset
> from the stack pointer. generally the value 0 was ok for the offset and my
> exploit worked as i wanted it.

> can anybody tell me how i can guess the offset and how to calculate the
> return address if the variable is not the first one in the program?
 
Well generally there is no completely safe way to do this. My first
recommendation is to drop the "movl %esp, %eax; ret" approach completely and
use fixed offsets instead. There are some exceptions (old sparcs for
example), where it is necessary to get an approximate stack address, but in
this case its not.

The most important factor in your case seems to be the size of the
environment, which happens to be located near the stack top, above the first
function frame. Either get rid of it completely (execve with NULL
environment or an empty environment), or stick your shellcode there. If you
use large nop gaps before, as shown in aleph1's classic stack smash paper,
you will have success with it in most cases.

If you cannot modify the environment or the setuid program
modifies/complains-about it, you should go for the fixed-base-offset and
addent approach.

I see no reason why a esp-getting approach should be superior to a hardcoded
offset on the x86 with fixed stackbase.

Btw, how big is the buffer you overflow ?


> thanks, sniper
> sniper () f1lesystem net

ciao,
-scut

-- 
-. scut () nb in-berlin de -. + http://segfault.net/~scut/ `--------------------.
-' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
`- AFIWC control and information seized. awaiting orders. hi echelon --------'