Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: controlling ebp/eip of a frame, does it always lead to possible code execution?

From: "deepcode ." <pondermate () hotmail com>
Date: Thu, 18 Sep 2003 13:38:50 -0300
By the looks of it, you are doing everything right. Your overwritten return address points 
directly to your nop's. The shellcode should be executed.
What OS are you on, you may have aditional stack protections on the system to prevent standard overflows, particularly redhat 9 (shrike), which i'm using now, will prevent this: not 
sure exactly how yet ...
If anyone has any info on shrikes new protection mechanism, feel free to reply. 




From: Ingram <Vail () gmx net>
To: vuln-dev () securityfocus com
Subject: controlling ebp/eip of a frame, does it always lead to possible code execution? 
Date: Thu, 18 Sep 2003 16:49:26 +0200 (MEST)

hello,

again i have a little question about buffer overflows,
that i could not figure out by myself.

If i can control what is written to ebp and eip, i thought
that this always would be enough to execute shellcode,
...it seems not:

>./exploit
Segmentation fault (core dumped)
>gdb ./myprog ./myprog.core

.
.
.
(gdb) bt
#0  0x280e8cfa in vfprintf () from /usr/lib/libc.so.4
#1  0x280da116 in sprintf () from /usr/lib/libc.so.4
#2  0x8048eda in main ()
#3  0x41414141 in ?? ()
Cannot access memory at address 0x42424242.
(gdb) f 3
#3  0x41414141 in ?? ()
(gdb) i reg
eax            0x0      0
ecx            0xffffffff       -1
edx            0x280e8c4c       672042060
ebx            0x3      3
esp            0xbfbfec48       0xbfbfec48
ebp            0x42424242       0x42424242  <---- defined by me
esi            0xbfbff7ac       -1077938260
edi            0xbfbff7bc       -1077938244
eip            0x41414141       0x41414141  <---- defined by me
eflags         0x286    646
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47

Now, i seek my nops:
(gdb)x/2000x $esp
.
.
.
0xbfbff438:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfbff448:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfbff458:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfbff468:     0x90909090      0x90909090      0x90909090      0x90909090
.
.
.

and finally replace the 0x41414141 and 0x42424242 with
a valid address (0xbfbff448) and execute the exploit again:

./exploit_with_real_addr
(gdb) bt
#0  0x280e8cfa in vfprintf () from /usr/lib/libc.so.4
#1  0x280da116 in sprintf () from /usr/lib/libc.so.4
#2  0x8048eda in main ()
#3  0xbfbff448 in ?? ()
#4  0x90909090 in ?? ()  <---- a new frame ? Why ?
Cannot access memory at address 0x90909090.
(gdb) f 3
#3  0xbfbff448 in ?? ()
(gdb) i reg
eax            0x0      0
ecx            0xffffffff       -1
edx            0x280e8c4c       672042060
ebx            0x3      3
esp            0xbfbfec48       0xbfbfec48
ebp            0xbfbff448       0xbfbff448 <--- it worked !?
esi            0xbfbff7ac       -1077938260
edi            0xbfbff7bc       -1077938244
eip            0xbfbff448       0xbfbff448 <--- it worked !?
eflags         0x286    646
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47
(gdb) x 0xbfbff448
0xbfbff448:     0x90909090  <--- still points to NOP
(gdb) x/10i $eip
0xbfbff448:     nop
0xbfbff449:     nop
0xbfbff44a:     nop
0xbfbff44b:     nop
0xbfbff44c:     nop
0xbfbff44d:     nop
0xbfbff44e:     nop
0xbfbff44f:     nop
0xbfbff450:     nop
0xbfbff451:     nop
(gdb) x/10i $ebp
0xbfbff448:     nop
0xbfbff449:     nop
0xbfbff44a:     nop
0xbfbff44b:     nop
0xbfbff44c:     nop
0xbfbff44d:     nop
0xbfbff44e:     nop
0xbfbff44f:     nop
0xbfbff450:     nop
0xbfbff451:     nop

Hmmm, here i am lost. I thought, if i can control the flow, and replace
eip/ebp with valid addresses, that point to my nop space, my shellcode
should get executed... what is happening here!?

Here some additional info:

(gdb) bt
#0  0x280e8cfa in vfprintf () from /usr/lib/libc.so.4
#1  0x280da116 in sprintf () from /usr/lib/libc.so.4
#2  0x8048eda in main ()
#3  0xbfbff448 in ?? ()
#4  0x90909090 in ?? ()
Cannot access memory at address 0x90909090.
(gdb) f 4
#4  0x90909090 in ?? ()
(gdb) i reg
eax            0x90909090       -1869574000
ecx            0x90909090       -1869574000
edx            0x90909090       -1869574000
ebx            0x90909090       -1869574000
esp            0xbfbff434       0xbfbff434
ebp            0x90909090       0x90909090
esi            0x90909090       -1869574000
edi            0x90909090       -1869574000
eip            0x90909090       0x90909090
eflags         0x90909090       -1869574000
cs             0x90909090       -1869574000
ss             0x90909090       -1869574000
ds             0x90909090       -1869574000
es             0x90909090       -1869574000
fs             0x90909090       -1869574000
gs             0x90909090       -1869574000
(gdb) x/10i $esp
0xbfbff434:     nop
0xbfbff435:     nop
0xbfbff436:     nop
0xbfbff437:     nop
0xbfbff438:     nop
0xbfbff439:     nop
0xbfbff43a:     nop
0xbfbff43b:     nop
0xbfbff43c:     nop
0xbfbff43d:     nop
(gdb) x 0xbfbff434
0xbfbff434:     nop

i also tried to replace the suddenly existing eip/ebp of frame 4,
but after doing that i just "open" another frame like this...

kind regards & thanks in advantage
Ingram













--
+++ GMX - die erste Adresse für Mail, Message, More! +++

Getestet von Stiftung Warentest: GMX FreeMail (GUT), GMX ProMail (GUT)
(Heft 9/03 - 23 e-mail-Tarife: 6 gut, 12 befriedigend, 5 ausreichend)

Jetzt selbst kostenlos testen: http://www.gmx.net



_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Previous By Date Next
Previous By Thread Next

Current thread: