Vulnerability Development mailing list archives
Off by one on RedHat Linux
From: lavmarco () freemail it
Date: 28 Aug 2003 13:34:38 -0000
hi all, i'm looking for frame pointer overwrite vulnerability on my linux boxes. I used sample code in "Frame Pointer Overwrite by klog" in phrack 55 and all worked in my linux slackware box (8.1). Now when i test this on my red hat linux boxes (i386 platform) (7.1, 7.2, 8.0 and 9.0) LSB of EBP is not overwrited? why? (gdb) disassemble func Dump of assembler code for function func: 0x804835c <func>: push %ebp 0x804835d <func+1>: mov %esp,%ebp 0x804835f <func+3>: sub $0x118,%esp 0x8048365 <func+9>: movl $0x0,0xfffffef4(%ebp) 0x804836f <func+19>: cmpl $0x100,0xfffffef4(%ebp) 0x8048379 <func+29>: jle 0x804837d <func+33> 0x804837b <func+31>: jmp 0x80483a2 <func+70> 0x804837d <func+33>: lea 0xfffffef8(%ebp),%eax 0x8048383 <func+39>: mov %eax,%edx 0x8048385 <func+41>: add 0xfffffef4(%ebp),%edx 0x804838b <func+47>: mov 0xfffffef4(%ebp),%eax 0x8048391 <func+53>: add 0x8(%ebp),%eax 0x8048394 <func+56>: mov (%eax),%al 0x8048396 <func+58>: mov %al,(%edx) 0x8048398 <func+60>: lea 0xfffffef4(%ebp),%eax 0x804839e <func+66>: incl (%eax) 0x80483a0 <func+68>: jmp 0x804836f <func+19> 0x80483a2 <func+70>: leave 0x80483a3 <func+71>: ret End of assembler dump. (gdb) break *0x80483a2 Breakpoint 1 at 0x80483a2: file suid.c, line 9. (gdb) break *0x80483a3 Breakpoint 2 at 0x80483a3: file suid.c, line 9. (gdb) disassemble main Dump of assembler code for function main: 0x80483a4 <main>: push %ebp 0x80483a5 <main+1>: mov %esp,%ebp 0x80483a7 <main+3>: sub $0x8,%esp 0x80483aa <main+6>: and $0xfffffff0,%esp 0x80483ad <main+9>: mov $0x0,%eax 0x80483b2 <main+14>: sub %eax,%esp 0x80483b4 <main+16>: cmpl $0x1,0x8(%ebp) 0x80483b8 <main+20>: jg 0x80483d4 <main+48> 0x80483ba <main+22>: sub $0xc,%esp 0x80483bd <main+25>: push $0x8048434 0x80483c2 <main+30>: call 0x804828c <printf> 0x80483c7 <main+35>: add $0x10,%esp 0x80483ca <main+38>: sub $0xc,%esp 0x80483cd <main+41>: push $0xffffffff 0x80483cf <main+43>: call 0x804829c <exit> 0x80483d4 <main+48>: sub $0xc,%esp 0x80483d7 <main+51>: mov 0xc(%ebp),%eax 0x80483da <main+54>: add $0x4,%eax 0x80483dd <main+57>: pushl (%eax) 0x80483df <main+59>: call 0x804835c <func> 0x80483e4 <main+64>: add $0x10,%esp 0x80483e7 <main+67>: leave 0x80483e8 <main+68>: ret End of assembler dump. (gdb) break *0x80483e7 Breakpoint 3 at 0x80483e7: file suid.c, line 18. (gdb) break *0x80483e8 Breakpoint 4 at 0x80483e8: file suid.c, line 18. (gdb) run blahblahblah [...] Starting program: /tmp/suid blahblahblah [...] Breakpoint 1, func (sm=0xbffffb5f 'A' <repeats 200 times>...) at suid.c:9 9 } (gdb) info reg esp ebp esp 0xbffff8d0 0xbffff8d0 ebp 0xbffff9e8 0xbffff9e8 (gdb) c Continuing. Breakpoint 2, 0x080483a3 in func (sm=0x2 <Address 0x2 out of bounds>) at suid.c:9 9 } (gdb) info reg esp ebp esp 0xbffff9ec 0xbffff9ec ebp 0xbffffa08 0xbffffa08 (gdb) c Continuing. Breakpoint 3, main (argc=2, argv=0xbffffa74) at suid.c:18 18 } (gdb) info reg esp ebp esp 0xbffffa00 0xbffffa00 ebp 0xbffffa08 0xbffffa08 (gdb) c Continuing. Breakpoint 4, 0x080483e8 in main (argc=134513572, argv=0x2) at suid.c:18 18 } (gdb) info reg esp ebp esp 0xbffffa0c 0xbffffa0c ebp 0xbffffa48 0xbffffa48 Then....... (gdb) x/5000bx 0xbffff8d0 0xbffff8d0: 0x20 0x00 0x00 0x00 0xb8 0xd2 0x01 0x40 0xbffff8d8: 0x02 0x00 0x53 0x65 0x01 0x01 0x00 0x00 0xbffff8e0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff8e8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff8f0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff8f8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff900: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff908: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff910: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff918: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff920: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff928: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff930: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff938: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff940: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff948: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff950: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff958: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff960: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff968: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff970: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff978: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff980: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff988: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff990: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff998: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff9a0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff9a8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff9b0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff9b8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff9c0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff9c8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff9d0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 ---Type <return> to continue, or q <return> to quit--- 0xbffff9d8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff9e0: 0x41 0xfa 0xff 0xbf 0xcd 0x8d 0x00 0x40 0xbffff9e8: 0x08 0xfa 0xff 0xbf 0xe4 0x83 0x04 0x08 0xbffff9f0: 0x5f 0xfb 0xff 0xbf 0x00 0x00 0x00 0x00 [...] please note 0xbffff9dc 0xbffff9db 0xbffff9da 0xbffff9d9 and 0xbffff9e4 0xbffff9e3 0xbffff9e2 0xbffff9e1 ....it's seems as if ebp is not 4 byte after buffer but much more bytes away.. However buffer[256] is first variable declared in func. Then...why LSB in EBP is not overwrite in this scenario on redhat systems? Execuse for my poor english. Lavmark --------------------------------------------------------- Incontri: amicizie, relazioni, trasgressione http://incontri.supereva.it/cgi-bin/index.chm?partner=904 messaggio inviato con Freemail by www.superEva.it ---------------------------------------------------------
Current thread:
- Off by one on RedHat Linux lavmarco (Aug 28)
- Re: Off by one on RedHat Linux Jose Ronnick (Aug 28)
- Re: Off by one on RedHat Linux Marco Ivaldi (Aug 29)
- Re: Off by one on RedHat Linux Steven Hill (Aug 30)