Vulnerability Development mailing list archives
Re: No-Exec Stack Smashing 101
From: mhw () WITTSEND COM (Michael H. Warfield)
Date: Thu, 20 Apr 2000 21:07:04 -0400
On Thu, Apr 20, 2000 at 10:36:13AM -0700, Granquist, Lamont wrote:
Well, its not an inherant feature of non-executable stacks that libc is mapped to an address with a zero in it. That's just a feature of Solar Designer's patch for Linux. My next question would have been, of course, how to get around that.
Find a spot in the code which calls the library function and return to that instead. Can't all of it have zeros in it. That may be what they are referring to as a PLT.
And it is still useful to discuss the return-into-libc approach just for educational benefit. And also because in addition to getting around no-exec stacks it also lets you bypass writing shellcode and means that your exploits will not have NOPs in them that IDSes could trigger off of (for remote exploits). And then there's exploits which don't just copy a null-terminated string and for those it doesn't matter if libc has a zero in it.
Of course it sounds like what you're talking about below works as well and more generally.
What is a PLT, if i might ask?
Also, I'm still trying to figure out what you need to make the stack look like in order to do a return-into-libc exploit. I've got Solar Designer's lpr -C exploit, but I don't quite understand his comments (I mean I understand what he's making the stack look like, but I don't understand why).
On Thu, 20 Apr 2000, M.C.Mar wrote:Thought I'd try to liven the discussion up here a bit... Okay, so I'm setting off to exploit the /usr/bin/man MANPATH exploit on RH6.1 (actually my system is RH6.2 i686 with man-1.5g-6 installed on it). And I'm looking for a little help here. What I've been playing with so far is things like the following trying to sort out the parameters of the buffer overflow: setenv MANPAGER `perl -e 'print "A" x 4057; print "\xe0\xca\x05\x40"; /usr/bin/man man gdb /usr/bin/man core Now the goal is to make man do a system("/bin/echo i 0wn y3w") call via returning into system() with the string being a parameter to the call with no code being excuted on the stack.I'm affraid you made wrong aproach... If you have nonexeck stack patch installed you cannot jump into libc, cos libc is mmaped undex 0x00XXXXXX address! The best idea is to jump into PLT. To find system() PLT entry do the following: (gdb) p system $2 = {<text variable, no debug info>} 0x8048d38 <system> 0x8048d38 is a PLT addr of system() call. As the system() call takes only one argument try to fing correct offset in the bufer where is the value that overwrites the RET. Put there 0x8048d38 and after that any value (fo saved %ebp, which should be there :) and then addr where is your string to execute via system(); If anyone need I can write full working explot that uses system() or strcpy() functions to execute anything you want! :) -- Mariusz Wo³oszyn Internet Security Specialist, IT -- Internet Partners E-mail: Mariusz.Woloszyn () it pl, woloszyn () it pl
-- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- Re: Blind Remote Buffer Overflow, (continued)
- Re: Blind Remote Buffer Overflow Mark L. Jackson (Apr 29)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Replacing Kernel Functions via a LKM Granquist, Lamont (Apr 27)
- Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 27)
- Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 28)
- Re: Replacing Kernel Functions via a LKM Prateek Jetly (Apr 27)
- Re: No-Exec Stack Smashing 101 Michael H. Warfield (Apr 26)
- Re: No-Exec Stack Smashing 101 Crispin Cowan (Apr 26)
- Re: No-Exec Stack Smashing 101 Taneli Huuskonen (Apr 26)
- Re: No-Exec Stack Smashing 101 Michael H. Warfield (Apr 20)