Metasploit mailing list archives
Help to get started!
From: dprotti at flowgate.net (Duilio Protti)
Date: Sun, 31 Jul 2005 20:05:10 +0000
In fact, I have tried vuln1_2 on Gentoo Linux, and it fails to exploit vuln1.c from tutorial. The problem arises because of the Smash Stack Protector with which libc is compiled in Gentoo. Changing the code of vuln1.c: char buf[64]; .... if(read(peersock, buf, 4096) == -1) { perror("read"); return(1); } to another one which does not overflow inside of the libc's read() function: char buf[64]; char largebuf[4096]; .... if(read(peersock, largebuf, 4096) == -1) { perror("read"); return(1); } mystrcpy(buf, largebuf); where mystrcpy() is defined by us on the same file (say vuln2.c). Then, when running vuln2 (compiled of course without ssp) the overflow occurs on mystrcpy(), which doesn't check the stack on return. This way, I have successfully exploited vuln2 using vuln1_2 from the tutorial, defining a 'Gentoo Linux' target with ESP adjusted to 0xbffff220. Probably would be good to change vuln1.c on tutorial this way, to evade compiled protections found on many systems. Bye, Duilio Protti.
The tutorial is really geared for showing exploit developers how to port code to the Framework, not so much how to write an exploit from scratch. Depending on your operating system and version, there could all sorts of things preventing that simple stack oveflow from working (compiled protection, hardened kernel, etc). If you like, email me off-list with the compiled binary, along with the name, version, and architecture of your system. -HD
Current thread:
- Help to get started! Duilio Protti (Jul 31)
- Help to get started! Duilio Protti (Aug 04)