Vulnerability Development mailing list archives
Re: Buffer Overflow Help
From: runixd <runixd () nullcode net>
Date: Wed, 10 Nov 2004 16:08:43 +0000
On Wed, 2004-11-10 at 12:01 +0200, Harry de Grote wrote:
Op Tuesday 09 November 2004 04:09, eip () tampabay rr com sgreifde: <snip>I am running GCC version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) on a Redhat 9 box kernel 2.4.20-31.9. Am I doing something wrong?no, you don't but... RH does randomize the stack a little iirc
so, my way of doing stuff then, is just brute force it! :) (you could also return tu libc or whatever)
How would returning to libc help with randomized stack? Brute forcing should help, but while learning its probably better to run vanilla kernel or disable Exec Shield. Depending on your version, options may very, but you should be able to disable stack randomization by setting /proc/sys/kernel/exec-shield-randomize to 0 "echo 0 > /proc/sys/kernel/exec-shield-randomize" and you can disable exec shield in /proc/sys/kernel/exec-shield, setting it to 0, should cause it to be disabled, otherwise this is where you have to work with non executable stack and return to libc. You can start reading about Exec Shield at http://people.redhat.com/mingo/exec-shield/ANNOUNCE-exec-shield
best way to do it (i think) is : put your shellcode in the env... export SHELLCODE=`perl -e '{print "\x90"x65000 . "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'` that should give you some breathing space for where to jump to... shellcode starts (on my box at 0xbfff0027, so everything from there to 0xbffffe00 sould do fine...
regards
Current thread:
- Buffer Overflow Help eip (Nov 09)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)
- Re: Buffer Overflow Help runixd (Nov 10)
- <Possible follow-ups>
- RE: Buffer Overflow Help Carlos Carvalho (Nov 10)
- Re: Buffer Overflow Help Steve Bonds (Nov 12)
- Re: Buffer Overflow Help Marco Ivaldi (Nov 12)
- Re: Buffer Overflow Help sin (Nov 12)
- Re: Buffer Overflow Help Steve Bonds (Nov 14)
- RE: Buffer Overflow Help Chris Eagle (Nov 15)
- Re: Buffer Overflow Help Steve Bonds (Nov 15)
- Re: Buffer Overflow Help sin (Nov 12)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)