Full Disclosure mailing list archives
Re: Exploiting buffer overflows via protected GCC
From: ArcSighter Elite <arcsighter () gmail com>
Date: Fri, 13 Feb 2009 13:13:25 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Valdis.Kletnieks () vt edu wrote:
On Fri, 13 Feb 2009 11:50:11 EST, Jason Starks said:memset(buf, 'A', 528);Don't do that. This sort of "whoops" is exactly what the gcc SSP canary is designed to stop.I have googled my brains out for a solution, but all I have gathered is that my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the return address it also overwrites the canary's value, and triggers a stop in the program. I've disassembled it and anybody who can help me probably doesn't need me to explain much more, but I would like to know a way to get this. There seems to be some people on this list who may know something on how to exploit on *nix systems with this protection enabled.What you want to do is be more precise in your splatting. Instead of one memset, see if you can come up with a way to do *two* memsets, which leave your stack looking like: 'AAAAAAAAA' (above the canary) <4 unmolested bytes of canary> 'AAAAAAAAA' (below the canary) Of course, if you're trying to exploit already-existing code, you probably only have one memset/strcpy you can abuse, and the starting address of the destination is already nailed down, which means you need to fill in the 4 bytes of canary correctly. This means you need to find a way to obtain the value so you can use it. One hint - sometimes you're better off targeting the stack frame 2 or 3 function calls back, rather than the *current* frame. ------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
He was actually seeking for ways to bypass stack protection in gcc environments. There may be references at the web, reducing the entropy for prediction, brute-forcing or abusing signal handlers, could be a good starting point. I have little experience with gcc, ask Matt Miller. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJlbfFH+KgkfcIQ8cRAtR8AKCFeamGDKgIzqjZJZLRc+WaNMdhlQCg1fc3 z3u4YNF0Hkkv+4EydOkX1oo= =Gz91 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting buffer overflows via protected GCC Jason Starks (Feb 13)
- Re: Exploiting buffer overflows via protected GCC Valdis . Kletnieks (Feb 13)
- Re: Exploiting buffer overflows via protected GCC ArcSighter Elite (Feb 13)
- Re: Exploiting buffer overflows via protected GCC Jubei Trippataka (Feb 16)
- Re: Exploiting buffer overflows via protected GCC Valdis . Kletnieks (Feb 17)
- Message not available
- Re: Exploiting buffer overflows via protected GCC James Matthews (Feb 14)
- Re: Exploiting buffer overflows via protected GCC ArcSighter Elite (Feb 16)
- Re: Exploiting buffer overflows via protected GCC Marcus Meissner (Feb 16)
- Re: Exploiting buffer overflows via protected GCC James Matthews (Feb 14)
- Re: Exploiting buffer overflows via protected GCC Valdis . Kletnieks (Feb 13)