Vulnerability Development mailing list archives
Re: exploiting a binary if %edi can be overwritten?
From: avel () gmx ch
Date: Tue, 24 Jun 2003 16:44:28 +0200 (MEST)
Possibly, but doubtful given what i shown. Depending on the assembly of what would give us later on, it may allow it.
. . .
With that, want to try gdb mybinary mybinary.core and do something like x/10i ?
Ok, here's the gdb mybinary mybinary.core:
gdb mybinary mybinary.core
GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... (no debugging symbols found)... Core was generated by `mybinary'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/local/lib/libvga.so.1... (no debugging symbols found)...done. Reading symbols from /usr/local/lib/libvgagl.so.1... (no debugging symbols found)...done. Reading symbols from /usr/lib/libc.so.4...(no debugging symbols found)...done. Reading symbols from /usr/lib/libm.so.2...(no debugging symbols found)...done. Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)... done. #0 0x2813ecfa in vfprintf () from /usr/lib/libc.so.4 (gdb) x/10i 0x0: Cannot access memory at address 0x0. (gdb) x/10i $pc 0x2813ecfa <vfprintf+3990>: repnz scas %es:(%edi),%al 0x2813ecfc <vfprintf+3992>: mov %ecx,%eax 0x2813ecfe <vfprintf+3994>: not %eax 0x2813ed00 <vfprintf+3996>: lea 0xffffffff(%eax),%edi 0x2813ed03 <vfprintf+3999>: jmp 0x2813f0e6 <vfprintf+4994> 0x2813ed08 <vfprintf+4004>: orb $0x10,0xfffffe00(%ebp) 0x2813ed0f <vfprintf+4011>: mov 0xfffffe00(%ebp),%edx 0x2813ed15 <vfprintf+4017>: test $0x20,%dl 0x2813ed18 <vfprintf+4020>: je 0x2813ed74 <vfprintf+4112> 0x2813ed1a <vfprintf+4022>: cmpl $0x0,0xfffffe24(%ebp) (gdb)
What happens if you overwrite 10000 bytes instead?
The same, no changes in regs or asm output.
What does {k,s,l}trace show?
ktrace mybinary `perl -e 'print "A" x 10000'` (too much to post, please
specify what you need): . . . 167 mybinary RET write 37/0x25 167 mybinary CALL getuid 167 mybinary RET getuid 0 167 mybinary CALL setuid(0) 167 mybinary RET setuid 0 167 mybinary CALL getgid 167 mybinary RET getgid 0 167 mybinary CALL setgid(0) 167 mybinary RET setgid 0 167 mybinary CALL getuid 167 mybinary RET getuid 0 167 mybinary CALL seteuid(0) 167 mybinary RET seteuid 0 167 mybinary CALL getgid 167 mybinary RET getgid 0 167 mybinary CALL setegid(0) 167 mybinary RET setegid 0 167 mybinary PSIG SIGSEGV SIG_DFL 167 mybinary NAMI "mybinary.core" strace is also much to post, but should be fine:
strace ./mybinary `perl -e 'print "A" x 10000'`
execve("./mybinary", ["./mybinary", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...],
[/* 23 vars */]) = 0
mmap(0, 1976, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x28066000
munmap(0x28066000, 1976) = 0
__sysctl([hw.pagesize], 2, "\0\20\0\0", [4], NULL, 0) = 0
mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) =
0x28066000
geteuid(0xbfbfd4b4) = 0
getuid() = 0 (euid 0)
getegid(0xbfbfd4b4) = 0
getgid() = 0 (egid 0)
open("/var/run/ld-elf.so.hints", O_RDONLY) = 3
read(3, "Ehnt\1\0\0\0\200\0\0\0007\0\0\0\0\0\0\0006\0\0\0\0\0\0"..., 128) =
128
lseek(3, 128, SEEK_SET) = 128
read(3, "/usr/lib:/usr/lib/compat:/usr/X1"..., 55) = 55
close(3) = 0
access("/usr/lib/libvga.so.1", F_OK) = -1 ENOENT (No such file or
directory)
access("/usr/lib/compat/libvga.so.1", F_OK) = -1 ENOENT (No such file or
directory)
access("/usr/X11R6/lib/libvga.so.1", F_OK) = -1 ENOENT (No such file or
directory)
access("/usr/local/lib/libvga.so.1", F_OK) = 0
open("/usr/local/lib/libvga.so.1", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=315348, ...}) = 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\324|\0"..., 4096) =
4096
mmap(0, 331776, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) =
0x2806e000
mprotect(0x280b4000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x280b4000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x280b5000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x46000) = 0x280b5000
mmap(0x280bb000, 16384, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0x280bb000
close(3) = 0
access("/usr/lib/libvgagl.so.1", F_OK) = -1 ENOENT (No such file or
directory)
access("/usr/lib/compat/libvgagl.so.1", F_OK) = -1 ENOENT (No such file or
directory)
access("/usr/X11R6/lib/libvgagl.so.1", F_OK) = -1 ENOENT (No such file or
directory)
access("/usr/local/lib/libvgagl.so.1", F_OK) = 0
open("/usr/local/lib/libvgagl.so.1", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=52620, ...}) = 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0H+\0\000"..., 4096)
= 4096
mmap(0, 57344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) =
0x280bf000
mprotect(0x280ca000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x280ca000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x280cb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0xb000) = 0x280cb000
close(3) = 0
access("/usr/lib/libc.so.4", F_OK) = 0
open("/usr/lib/libc.so.4", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=567860, ...}) = 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\224\'\1"..., 4096)
= 4096
mmap(0, 618496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) =
0x280cd000
mprotect(0x2814c000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x2814c000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x2814d000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x7f000) = 0x2814d000
mmap(0x28151000, 77824, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0x28151000
close(3) = 0
access("/usr/lib/libm.so.2", F_OK) = 0
open("/usr/lib/libm.so.2", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=102192, ...}) = 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0L0\0\000"..., 4096)
= 4096
mmap(0, 98304, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) =
0x28164000
mprotect(0x28179000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x28179000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x2817a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x15000) = 0x2817a000
close(3) = 0
mmap(0, 560, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 560) = 0
mmap(0, 3848, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 3848) = 0
mmap(0, 1648, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 1648) = 0
mmap(0, 13312, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 13312) = 0
mmap(0, 2208, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 2208) = 0
sigaction(SIGILL, {0x280566d0, [], 0}, {SIG_DFL}) = 0
sigprocmask(SIG_BLOCK, NULL, []) = 0
sigaction(SIGILL, {SIG_DFL}, NULL) = 0
sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) = 0
sigprocmask(SIG_SETMASK, [], NULL) = 0
stat("/proc/bus/pci", 0xbfbfd320) = -1 ENOENT (No such file or
directory)
open("/usr/local/etc/vga/libvga.config", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0
readlink("/etc/malloc.conf", 0xbfbf92b0, 63) = -1 ENOENT (No such file or
directory)
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) =
0x2817c000
break(0x809f000) = 0
break(0x80a3000) = 0
read(3, "# Configuration file for svgalib"..., 16384) = 15925
close(3) = 0
open("/root/.svgalibrc", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/dev/io", O_RDONLY) = 3
fcntl(0, F_GETFD) = 0
fcntl(1, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
open("/dev/mem", O_RDWR) = 4
fcntl(0, F_GETFD) = 0
fcntl(1, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(5, 0), ...}) = 0
ioctl(0, VT_GETMODE, 0xbfbfd288) = -1 ENOTTY (Inappropriate ioctl for
device)
fstat(1, {st_mode=S_IFREG|0644, st_size=5769, ...}) = 0
ioctl(1, VT_GETMODE, 0xbfbfd288) = -1 ENOTTY (Inappropriate ioctl for
device)
fstat(2, {st_mode=S_IFREG|0644, st_size=5910, ...}) = 0
ioctl(2, VT_GETMODE, 0xbfbfd288) = -1 ENOTTY (Inappropriate ioctl for
device)
open("/dev/console", O_RDWR) = 5
ioctl(5, VT_OPENQRY, 0x280b6a08) = 0
close(5) = 0
getppid(0x8) = 4846
setpgid(0, 4846) = 0
setsid() = 4848
open("/dev/ttyv8", O_RDWR) = 5
ioctl(5, VT_GETACTIVE, 0xbfbfd284) = 0
getuid() = 0 (euid 0)
fstat(1, {st_mode=S_IFREG|0644, st_size=6462, ...}) = 0
write(1, "[svgalib: allocated virtual cons"..., 40[svgalib: allocated
virtual console #9]
) = 40
close(0) = 0
close(1) = 0
close(2) = 0
dup(5) = 0
dup(5) = 1
dup(5) = 2
write(2, "\33[H\33[J", 6) = 6
open("/dev/mem", O_RDONLY) = 6
__sysctl([hw.pagesize], 2, "\0\20\0\0", [4], NULL, 0) = 0
break(0x80a5000) = 0
mmap(0x80a3000, 4096, PROT_READ, MAP_SHARED|MAP_FIXED, 6, 0xc0000) =
0x80a3000
close(6) = 0
break(0x80a7000) = 0
mmap(0x80a5000, 4096, PROT_READ, MAP_SHARED|MAP_FIXED, 4, 0xc0000) =
0x80a5000
munmap(0x80a5000, 4096) = 0
mmap(0, 65536, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0xa0000) = 0x2817d000
mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0xb8000) = 0x2818d000
close(4) = 0
open("/usr/local/etc/vga/libvga.config", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0
break(0x80ab000) = 0
read(4, "# Configuration file for svgalib"..., 16384) = 15925
close(4) = 0
open("/root/.svgalibrc", O_RDONLY) = -1 ENOENT (No such file or
directory)
fcntl(0, F_GETFD) = 0
fcntl(1, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
open("/dev/mouse", O_RDWR|O_NONBLOCK) = -1 ENOENT (No such file or
directory)
setuid(0) = 0
getgid() = 0 (egid 0)
setgid(0) = 0
getuid() = 0 (euid 0)
seteuid(0) = 0
getgid() = 0 (egid 0)
setegid(0) = 0
--- SIGSEGV (Segmentation fault) ---
--- SIGSEGV (Segmentation fault) ---
and finally ltrace:
ltrace ./mybinary `perl -e 'print "A" x 10000'`
atexit(0x28054e2c) = 0 atexit(0x0804f694) = 0 vga_init(2, 0xbfbfd4c0, 0xbfbfd4cc, 0x28068300, 0xbfbfd36c[svgalib: allocated virtual console #9] ) = 0 sscanf(0xbfbfd5af, 0x0804f928, 0x0809d540, 0x0809d644, 0) = 1 fprintf(0x2814fe90, "\nusage: %s [<options>] <host>:<"..., "EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF". .. <unfinished ...> --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ still thanks a lot to anyone helping me with that topic! regards avel -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Current thread:
- exploiting a binary if %edi can be overwritten? avel (Jun 23)
- Re: exploiting a binary if %edi can be overwritten? Valdis . Kletnieks (Jun 24)
- Re: exploiting a binary if %edi can be overwritten? avel (Jun 24)
- <Possible follow-ups>
- Re: exploiting a binary if %edi can be overwritten? avel (Jun 24)
- Re: exploiting a binary if %edi can be overwritten? andrewg (Jun 25)
- Re: exploiting a binary if %edi can be overwritten? Valdis . Kletnieks (Jun 24)