Vulnerability Development mailing list archives
Re: is this a bug ?
From: BORBELY Zoltan <bozo () ANDREWS HU>
Date: Wed, 13 Dec 2000 17:06:50 +0100
Hello, On Sun, Dec 10, 2000 at 01:35:27PM +0100, Jonathan James wrote:
Guy, No this isn't a bug, you are forcing the CPU into an infinite loop.. First you jump to "start" where the "call doit" instruction is passed. When the CPU has executed the instructions at label "doit" it will continue to execute whatever follows, i.e label "start" again which just jumps back to label "doit".
No. If this program executes correctly, it isn't a cpu hog :-) It is a shellcode skeleton. But if you modify the string it'll be a cpu eating bastard. I'll comment this code a little: jmp start doit: popl %esi ... start: call doit __data_starts_here__ This is a common shellcode format. It's a variation of the following sequence: call next next: pop %esi The call instruction push the %eip to the stack. The pop %esi reads the address of the instruction following the call statement. This is the common method to indentify the starting address of the position independent code. The problem is the parameter following the jmp and call instructions is a _relative_ address, and the shellcodes mustn't contains NUL bytes. So you have to transform to the jmp start/pop %esi/call doit format. In this case the relative address of the call instruction will be negative, for example 0xffffffed. The jmp instruction has a special version where the relative address only one bytes, so it won't contains NUL byte too. :-)
first i mast explain i am no programmer, i just read a few documents on the web and try to play with stuff. If this is inappropriate here please tell me and except my apologize. anyhow, i have this asm code: .global id .global end .data id: jmp start doit: popl %esi
movl %esi,0x08(%esi) xorl %eax,%eax movb %eax,0x07(%esi) movl %eax,0xc(%esi) movb $0xb,%eax movl %esi,%ebx leal 0x8(%esi),%ecx xorl %edx,%edx
This code builds the parameter block of the execve syscall on the stack directly after the string. The character at _string_address_+7 position (the X character) will be changed to NUL ('\0').
int $0x80
And this is the system call entry point of the linux kernel. If it's execute properly, it will never returns. So if you modify the string and the new length isn't equal to 7 byte (without the termination character which will be overwritten) or there are any error (file missing, isn't executable, ...) the system call will fail and returns.
start: call doit .string "/bin/idX" end: and the c to run it: extern void id(); extern void end(); main() { id(); } both a ripof from Marc Blumenauer <marc () system-security net> but what strikes me odd is that if i cange any of the length of the string to a wrong lenght (0x09 for example) my cpu get to 98.8 usage % after 5 seconds. (this is run by regular user) Can any one explain/verify this on a computer with more the 133MHz and 48RAM ?
The system call returned, and the execution continued at the call instruction. _This_ is the infinite loop :-) Bye, Zoltan BORBELY
Current thread:
- is this a bug ? Guy Cohen (Dec 09)
- Re: is this a bug ? Jonathan James (Dec 11)
- Re: is this a bug ? BORBELY Zoltan (Dec 15)
- <Possible follow-ups>
- Re: is this a bug ? Robert G. Ferrell (Dec 12)
- Re: is this a bug ? Jonathan James (Dec 11)