Vulnerability Development mailing list archives
Re: Off by one on RedHat Linux
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Fri, 29 Aug 2003 09:29:22 +0200 (CEST)
On 28 Aug 2003 lavmarco () freemail it wrote:
hi all, i'm looking for frame pointer overwrite vulnerability on my linux boxes. I used sample code in "Frame Pointer Overwrite by klog" in phrack 55 and all worked in my linux slackware box (8.1). Now when i test this on my red hat linux boxes (i386 platform) (7.1, 7.2, 8.0 and 9.0) LSB of EBP is not overwrited? why?
It's gcc-3.x.x's fault. Newer versions of gcc intruduce an additional padding between local vars and fp/ret. $ gcc --version 2.95.4 $ gcc fp1.c -o fp1 -g $ gdb fp1 -q (gdb) set arg `perl -e 'print "ABCD"x64'`A (gdb) r [...] Program received signal SIGSEGV, Segmentation fault. 0x41444342 in ?? () (gdb) disass func [...] 0x8048433 <func+3>: sub $0x114,%esp ^^^^^^ $ gcc --version gcc (GCC) 3.2.2 Copyright (C) 2002 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ gcc fp1.c -o fp1 -g (gdb) r [...] Program exited with code 042. (gdb) disass func [...] 0x804835f <func+3>: sub $0x118,%esp ^^^^^^ Cheers, :raptor -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Current thread:
- Off by one on RedHat Linux lavmarco (Aug 28)
- Re: Off by one on RedHat Linux Jose Ronnick (Aug 28)
- Re: Off by one on RedHat Linux Marco Ivaldi (Aug 29)
- Re: Off by one on RedHat Linux Steven Hill (Aug 30)