Help to get started!

[dprotti at flowgate.net (Duilio Protti)]

In fact, I have tried vuln1_2 on Gentoo Linux, and it fails to exploit
vuln1.c from tutorial. The problem arises because of the Smash Stack
Protector with which libc is compiled in Gentoo. Changing the code of
vuln1.c:

char buf[64];
....
if(read(peersock, buf, 4096) == -1) {
    perror("read");
    return(1);
}

to another one which does not overflow inside of the libc's read()
function:

char buf[64];
char largebuf[4096];
....
if(read(peersock, largebuf, 4096) == -1) {
    perror("read");
    return(1);
}
mystrcpy(buf, largebuf);

where mystrcpy() is defined by us on the same file (say vuln2.c). Then,
when running vuln2 (compiled of course without ssp) the overflow occurs
on mystrcpy(), which doesn't check the stack on return. This way, I have
successfully exploited vuln2 using vuln1_2 from the tutorial, defining a
'Gentoo Linux' target with ESP adjusted to 0xbffff220.

Probably would be good to change vuln1.c on tutorial this way, to evade
compiled protections found on many systems.


Bye,
Duilio Protti.

> The tutorial is really geared for showing exploit developers how to
> port code to the Framework, not so much how to write an exploit from
> scratch. Depending on your operating system and version, there could
> all sorts of things preventing that simple stack oveflow from working
> (compiled protection, hardened kernel, etc). If you like, email me
> off-list with the compiled binary, along with the name, version, and
> architecture of your system.
>
> -HD