Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Off by one on RedHat Linux

From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Fri, 29 Aug 2003 09:29:22 +0200 (CEST)
On 28 Aug 2003 lavmarco () freemail it wrote:



hi all,

i'm looking for frame pointer overwrite vulnerability on my linux boxes.
I used sample code in "Frame Pointer Overwrite by klog" in phrack 55 and all
worked in my linux slackware box (8.1).

Now when i test this on my red hat linux boxes (i386 platform) (7.1, 7.2, 8.0 and 9.0)
LSB of EBP is not overwrited? why?


It's gcc-3.x.x's fault. Newer versions of gcc intruduce an additional
padding between local vars and fp/ret.

$ gcc --version
2.95.4
$ gcc fp1.c -o fp1 -g
$ gdb fp1 -q
(gdb) set arg `perl -e 'print "ABCD"x64'`A
(gdb) r
[...]
Program received signal SIGSEGV, Segmentation fault.
0x41444342 in ?? ()
(gdb) disass func
[...]
0x8048433 <func+3>:     sub    $0x114,%esp
                               ^^^^^^
$ gcc --version
gcc (GCC) 3.2.2
Copyright (C) 2002 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
$ gcc fp1.c -o fp1 -g
(gdb) r
[...]
Program exited with code 042.
(gdb) disass func
[...]
0x804835f <func+3>:     sub    $0x118,%esp
                               ^^^^^^
Cheers,

:raptor
-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707
Previous By Date Next
Previous By Thread Next

Current thread: