Vulnerability Development mailing list archives
Re: No-Exec Stack Smashing 101
From: woloszyn () IPARTNERS PL (M.C.Mar)
Date: Thu, 20 Apr 2000 13:00:22 +0200
Thought I'd try to liven the discussion up here a bit... Okay, so I'm setting off to exploit the /usr/bin/man MANPATH exploit on RH6.1 (actually my system is RH6.2 i686 with man-1.5g-6 installed on it). And I'm looking for a little help here. What I've been playing with so far is things like the following trying to sort out the parameters of the buffer overflow: setenv MANPAGER `perl -e 'print "A" x 4057; print "\xe0\xca\x05\x40"; /usr/bin/man man gdb /usr/bin/man core Now the goal is to make man do a system("/bin/echo i 0wn y3w") call via returning into system() with the string being a parameter to the call with no code being excuted on the stack.
I'm affraid you made wrong aproach... If you have nonexeck stack patch installed you cannot jump into libc, cos libc is mmaped undex 0x00XXXXXX address! The best idea is to jump into PLT. To find system() PLT entry do the following: (gdb) p system $2 = {<text variable, no debug info>} 0x8048d38 <system> 0x8048d38 is a PLT addr of system() call. As the system() call takes only one argument try to fing correct offset in the bufer where is the value that overwrites the RET. Put there 0x8048d38 and after that any value (fo saved %ebp, which should be there :) and then addr where is your string to execute via system(); If anyone need I can write full working explot that uses system() or strcpy() functions to execute anything you want! :) -- Mariusz Wo³oszyn Internet Security Specialist, IT -- Internet Partners E-mail: Mariusz.Woloszyn () it pl, woloszyn () it pl
Current thread:
- No-Exec Stack Smashing 101 Granquist, Lamont (Apr 19)
- Re: No-Exec Stack Smashing 101 Crispin Cowan (Apr 19)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 20)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 20)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 20)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 20)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 20)
- Re: No-Exec Stack Smashing 101 Mariusz Woloszyn (Apr 21)
- Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Bob Fiero (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Zoa_Chien (Apr 21)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 22)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 20)
- Re: No-Exec Stack Smashing 101 Crispin Cowan (Apr 19)