Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Off by one on RedHat Linux

From: Steven Hill <steve () covertsystems org>
Date: Sat, 30 Aug 2003 14:44:41 +1000 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28 Aug 2003 lavmarco () freemail it wrote:



hi all,

i'm looking for frame pointer overwrite vulnerability on my linux boxes.
I used sample code in "Frame Pointer Overwrite by klog" in phrack 55 and all
worked in my linux slackware box (8.1).

Now when i test this on my red hat linux boxes (i386 platform) (7.1, 7.2, 8.0 and 9.0)
LSB of EBP is not overwrited? why?

Then...why LSB in EBP is not overwrite in this scenario on redhat systems?





Lavmark
        
        There is an option for gcc that can solve your problem.
        
        -mpreferred-stack-boundary=2

        However it is only an option..

        Thus,...

[steve@covertsystems code]$ gcc --version
gcc (GCC) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
[steve@covertsystems code]$ cat > fp1.c <<EOF
#include <string.h>

#define LEN 256

int main(void)  {

        char buffer[LEN];
        char *ptr;

        ptr = buffer;
        memset(ptr, 'A', LEN+4); // $ebp
        ptr += (LEN+4);
        memset(ptr, 'B', 4);     // $eip
}
EOF

[steve@covertsystems code]$ gcc fp1.c -o fp1 -mpreferred-stack-boundary=2
[steve@covertsystems code]$ ./fp1
Segmentation fault (core dumped)
[steve@covertsystems code]$ gdb -q -c core.1345 ./fp1
Core was generated by `./fp1'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x42424242 in ?? ()
(gdb) i r $ebp $eip
ebp            0x41414141       0x41414141
eip            0x42424242       0x42424242
(gdb)


Steven Hill


- -- 

 ---=[ Covert Systems Research ]=-----------------------------//
 = Exploit Research & Development                             -
 = Specializing in Linux & UNIX Systems                       -
 = URL: www.covertsystems.org                                 -    
 --------------------------------------------=[ SolarIce ]=---//

 --The more one reads & learns, the less the other person knows.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/UCvA+SI9HWArYE4RAsNkAKCCag2LHLdsD0hmKRfj2qSb5Kdw6wCg1mof
ZfEmrSN38V35+oNHY+0T2ps=
=DNnK
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: