Re: Off by one on RedHat Linux

[Jose Ronnick <matrix () phiral com>]

On 28 Aug 2003 13:34:38 -0000
lavmarco () freemail it wrote:

> hi all,
>
> i'm looking for frame pointer overwrite vulnerability on my linux boxes.
> I used sample code in "Frame Pointer Overwrite by klog" in phrack 55 and all
> worked in my linux slackware box (8.1).
>
> Now when i test this on my red hat linux boxes (i386 platform) (7.1, 7.2, 8.0 and 9.0)
> LSB of EBP is not overwrited? why?

Check your version of gcc.  Frame pointer overwriting only works on gcc versions 2.96 and lower.. (I think).. I know it 
won't work on any version > 3.. I think 2.96 is the bottom end though.. (please correct me if I'm off)  Find a box that 
is using an older version of gcc and it should all work out for you..

> please note 0xbffff9dc 0xbffff9db 0xbffff9da 0xbffff9d9 and 0xbffff9e4 
> 0xbffff9e3 0xbffff9e2
> 0xbffff9e1 ....it's seems as if ebp is not 4 byte after buffer but much more
>  bytes away.. However buffer[256] is first variable declared in func.
>
> Then...why LSB in EBP is not overwrite in this scenario on redhat systems?

Again, that's all because of the compiler version.. Find a older version of gcc, and everything will work out as 
expected.. versions > 2.96 put more space in there..

Hope this helps.

-- 
%JOSE_RONNICK%50,:-dddd-0EEb-pVVyP\-1111-jjjj-yNNN-_4HUP-qq0q-02%r-_Z%JP-%Iwp-5kyyP-n5nn-aTTa-1271P-4ttt-/888-3tSMP-bbnb-L8wL-kMwgP-3Hy3-rqzWP-m%m8-h4x--v%r5P-S7S7-g7g7-F2u2PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

Attachment: _bin
Description: