Full Disclosure mailing list archives
Re: Exploiting buffer overflows via protected GCC
From: Jubei Trippataka <vpn.1.fanatic () gmail com>
Date: Tue, 17 Feb 2009 12:19:07 +1100
memset(buf, 'A', 528);Don't do that. This sort of "whoops" is exactly what the gcc SSP canary is designed to stop.
I could comment on this, but... I'll leave it.
I have googled my brains out for a solution, but all I have gathered isthatmy Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the return address it also overwrites the canary's value, and triggers a stopinthe program. I've disassembled it and anybody who can help me probably doesn't need me to explain much more, but I would like to know a way togetthis. There seems to be some people on this list who may know somethingonhow to exploit on *nix systems with this protection enabled.What you want to do is be more precise in your splatting. Instead of one memset, see if you can come up with a way to do *two* memsets, which leave your stack looking like: 'AAAAAAAAA' (above the canary) <4 unmolested bytes of canary> 'AAAAAAAAA' (below the canary) Of course, if you're trying to exploit already-existing code, you probably only have one memset/strcpy you can abuse, and the starting address of the destination is already nailed down, which means you need to fill in the 4 bytes of canary correctly. This means you need to find a way to obtain the value so you can use it. One hint - sometimes you're better off targeting the stack frame 2 or 3 function calls back, rather than the *current* frame.
You commenting on exploitation is kind of like asking a deaf person what their favorite song is. You obviously have no clue what you are talking about due to the fact you offered absolutely no insight in to the protection mechanism he was asking about, nor potential means of exploitation. Given this the real question remains, do you actually believe you have any clue about this stuff, or are you like Wallace and just want to post useless shit? -- ciao JT
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting buffer overflows via protected GCC Jason Starks (Feb 13)
- Re: Exploiting buffer overflows via protected GCC Valdis . Kletnieks (Feb 13)
- Re: Exploiting buffer overflows via protected GCC ArcSighter Elite (Feb 13)
- Re: Exploiting buffer overflows via protected GCC Jubei Trippataka (Feb 16)
- Re: Exploiting buffer overflows via protected GCC Valdis . Kletnieks (Feb 17)
- Message not available
- Re: Exploiting buffer overflows via protected GCC James Matthews (Feb 14)
- Re: Exploiting buffer overflows via protected GCC ArcSighter Elite (Feb 16)
- Re: Exploiting buffer overflows via protected GCC Marcus Meissner (Feb 16)
- Re: Exploiting buffer overflows via protected GCC James Matthews (Feb 14)
- Re: Exploiting buffer overflows via protected GCC Valdis . Kletnieks (Feb 13)