Vulnerability Development mailing list archives
Re: Off by one on RedHat Linux
From: Jose Ronnick <matrix () phiral com>
Date: Thu, 28 Aug 2003 14:06:45 -0700
On 28 Aug 2003 13:34:38 -0000 lavmarco () freemail it wrote:
hi all, i'm looking for frame pointer overwrite vulnerability on my linux boxes. I used sample code in "Frame Pointer Overwrite by klog" in phrack 55 and all worked in my linux slackware box (8.1). Now when i test this on my red hat linux boxes (i386 platform) (7.1, 7.2, 8.0 and 9.0) LSB of EBP is not overwrited? why?
Check your version of gcc. Frame pointer overwriting only works on gcc versions 2.96 and lower.. (I think).. I know it won't work on any version > 3.. I think 2.96 is the bottom end though.. (please correct me if I'm off) Find a box that is using an older version of gcc and it should all work out for you..
please note 0xbffff9dc 0xbffff9db 0xbffff9da 0xbffff9d9 and 0xbffff9e4 0xbffff9e3 0xbffff9e2 0xbffff9e1 ....it's seems as if ebp is not 4 byte after buffer but much more bytes away.. However buffer[256] is first variable declared in func. Then...why LSB in EBP is not overwrite in this scenario on redhat systems?
Again, that's all because of the compiler version.. Find a older version of gcc, and everything will work out as expected.. versions > 2.96 put more space in there.. Hope this helps. -- %JOSE_RONNICK%50,:-dddd-0EEb-pVVyP\-1111-jjjj-yNNN-_4HUP-qq0q-02%r-_Z%JP-%Iwp-5kyyP-n5nn-aTTa-1271P-4ttt-/888-3tSMP-bbnb-L8wL-kMwgP-3Hy3-rqzWP-m%m8-h4x--v%r5P-S7S7-g7g7-F2u2PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Attachment:
_bin
Description:
Current thread:
- Off by one on RedHat Linux lavmarco (Aug 28)
- Re: Off by one on RedHat Linux Jose Ronnick (Aug 28)
- Re: Off by one on RedHat Linux Marco Ivaldi (Aug 29)
- Re: Off by one on RedHat Linux Steven Hill (Aug 30)