Executing Code on Linux/x86 with ASLR+GCC4 Protections

[Lucus Rife <lucus.rife () googlemail com>]

Debian/Ubuntu latest with updates...

(gdb) shell cat bof.c
#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[])
{

if(argc < 2) return 0;

char buf[128];
strcpy(buf, argv[1]);

return 0;
}

(gdb) r `perl -e 'print "BABA" x 74'`
Starting program: /home/rife/bof `perl -e 'print "BABA" x 74'`

Program received signal SIGSEGV, Segmentation fault.
0xb7e355eb in strlen () from /lib/tls/i686/cmov/libc.so.6
(gdb) info r
eax            0x41424142    1094861122
ecx            0x2    2
edx            0xbfc557b8    -1077585992
ebx            0xb7f1cff4    -1208889356
esp            0xbfc5520c    0xbfc5520c
ebp            0xbfc557a4    0xbfc557a4
esi            0x41424142    1094861122
edi            0xb7f008b2    -1209005902
eip            0xb7e355eb    0xb7e355eb <strlen+11>
eflags         0x210202    [ IF RF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)

This is as far as I've gone. Is there some way to point EAX or better than
that, ESI, to our payload and execute code?

Is there a way in any situation if we overwrite ESI to make it execute code?

Surely to God someone on this list knows something..

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/