Vulnerability Development mailing list archives
Re: Off by one on RedHat Linux
From: Steven Hill <steve () covertsystems org>
Date: Sat, 30 Aug 2003 14:44:41 +1000 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28 Aug 2003 lavmarco () freemail it wrote:
hi all, i'm looking for frame pointer overwrite vulnerability on my linux boxes. I used sample code in "Frame Pointer Overwrite by klog" in phrack 55 and all worked in my linux slackware box (8.1). Now when i test this on my red hat linux boxes (i386 platform) (7.1, 7.2, 8.0 and 9.0) LSB of EBP is not overwrited? why? Then...why LSB in EBP is not overwrite in this scenario on redhat systems?
Lavmark There is an option for gcc that can solve your problem. -mpreferred-stack-boundary=2 However it is only an option.. Thus,... [steve@covertsystems code]$ gcc --version gcc (GCC) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) [steve@covertsystems code]$ cat > fp1.c <<EOF #include <string.h> #define LEN 256 int main(void) { char buffer[LEN]; char *ptr; ptr = buffer; memset(ptr, 'A', LEN+4); // $ebp ptr += (LEN+4); memset(ptr, 'B', 4); // $eip } EOF [steve@covertsystems code]$ gcc fp1.c -o fp1 -mpreferred-stack-boundary=2 [steve@covertsystems code]$ ./fp1 Segmentation fault (core dumped) [steve@covertsystems code]$ gdb -q -c core.1345 ./fp1 Core was generated by `./fp1'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/tls/libc.so.6...done. Loaded symbols for /lib/tls/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x42424242 in ?? () (gdb) i r $ebp $eip ebp 0x41414141 0x41414141 eip 0x42424242 0x42424242 (gdb) Steven Hill - -- ---=[ Covert Systems Research ]=-----------------------------// = Exploit Research & Development - = Specializing in Linux & UNIX Systems - = URL: www.covertsystems.org - --------------------------------------------=[ SolarIce ]=---// --The more one reads & learns, the less the other person knows. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/UCvA+SI9HWArYE4RAsNkAKCCag2LHLdsD0hmKRfj2qSb5Kdw6wCg1mof ZfEmrSN38V35+oNHY+0T2ps= =DNnK -----END PGP SIGNATURE-----
Current thread:
- Off by one on RedHat Linux lavmarco (Aug 28)
- Re: Off by one on RedHat Linux Jose Ronnick (Aug 28)
- Re: Off by one on RedHat Linux Marco Ivaldi (Aug 29)
- Re: Off by one on RedHat Linux Steven Hill (Aug 30)