exploiting a binary if %edi can be overwritten?

[avel () gmx ch]

hi community, 

i have a buffer overflow question. If i have a binary  (no src available)
that
i can crash with a too long string,  so that %edi is set 0x41414141 
(means i could control it)...  can i craft the buffer so that the adress in 
%edi is actually jumped to? 

If i put in a malformed addr (like above)  the proc segfaults, if i put in a
valid (like addr of my shellcode) it gets executed normally (thats why i
think i have to restore/push/pop %edi to another register somehow... but
how?)

I theory i'd like to do something like restoring the addr i have written to
the place were %edi is to some other register, which would jmp to the 
addr given by me. I just dunno, _where_ to write _what_ to accomplish that. 
Maybe push %edi and ret in opcodes (but where? infront of my shellcode 
won't make much sense, since the prog won't jmp there...)?
...is this exploitable at all?

# ./mybinary `perl -e 'print "A" x 5000'`
Segmentation fault (core dumped)

# gdb -core mybinary.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `mybinary'.
Program terminated with signal 11, Segmentation fault.
#0  0x2813ecfa in ?? ()
(gdb) bt
#0  0x2813ecfa in ?? ()
#1  0x2813dae9 in ?? ()
#2  0x2813de32 in ?? ()
#3  0x2813da25 in ?? ()
#4  0x8049123 in ?? ()
#5  0x8049831 in ?? ()
#6  0x804cd19 in ?? ()
#7  0x804906a in ?? ()
(gdb) i reg
eax            0x0      0
ecx            0xffffffff       -1
edx            0x2813ec4c       672394316
ebx            0x2815000c       672464908
esp            0xbfbfdd48       0xbfbfdd48
ebp            0xbfbfdfa0       0xbfbfdfa0
esi            0x8      8
edi            0x41414141       1094795585
eip            0x2813ecfa       0x2813ecfa
eflags         0x3286   12934
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47
(gdb) x/10i $pc
0x2813ecfa:     Cannot access memory at address 0x2813ecfa.
(gdb) x/10i $eax
0x0:    Cannot access memory at address 0x0.
(gdb) x/10i $ecx
0xffffffff:     Cannot access memory at address 0xffffffff.
(gdb) x/10i $ebx
0x2815000c:     push   %esp
0x2815000d:     das
0x2815000e:     or     %al,(%eax)
0x28150010:     add    %al,0x34502806(%ebx)
0x28150016:     add    $0xdcfba28,%eax
0x2815001b:     sub    %cl,%dl
0x2815001d:     iret
0x2815001e:     or     $0xdcfda28,%eax
0x28150023:     sub    %ch,%dl
0x28150025:     iret
(gdb) x/10i $esp
0xbfbfdd48:     or     $0x0,%al
0xbfbfdd4a:     adc    $0x14fe9028,%eax
0xbfbfdd4f:     sub    %bl,%al
0xbfbfdd51:     jecxz  0xbfbfdd12
0xbfbfdd53:     mov    $0x20202020,%edi
0xbfbfdd58:     and    %ah,(%eax)
0xbfbfdd5a:     and    %ah,(%eax)
0xbfbfdd5c:     mov    %ds,%edi
0xbfbfdd5e:     mov    $0xbfe6e0bf,%edi
0xbfbfdd63:     mov    $0x2,%edi
(gdb) x/10i $ebp
0xbfbfdfa0:     xor    %ah,%ah
0xbfbfdfa2:     mov    $0x13dae9bf,%edi
0xbfbfdfa7:     sub    %bl,%al
0xbfbfdfa9:     jecxz  0xbfbfdf6a
0xbfbfdfab:     mov    $0x804f6c0,%edi
0xbfbfdfb0:     in     $0xe6,%al
0xbfbfdfb2:     mov    $0x13da89bf,%edi
0xbfbfdfb7:     sub    %cl,(%eax,%eax,1)
0xbfbfdfba:     adc    $0xbfe84028,%eax
0xbfbfdfbf:     mov    $0xbfbfe84c,%edi
(gdb) x/10i $esi
0x8:    Cannot access memory at address 0x8.
(gdb) x/10i $edi
0x41414141:     Cannot access memory at address 0x41414141.
(gdb) x/10i $eip
0x2813ecfa:     Cannot access memory at address 0x2813ecfa.
(gdb)

Thanks for any help with that topic!

avel


-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!