Vulnerability Development mailing list archives
Re: Problem exploiting a CGI overflow
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Fri, 26 Nov 2004 11:34:16 +0100 (CET)
Just a quick summary of the solution for those interested. sin <sin () innocence-lost net> wrote:
It seems like if bash is the one converting the characters, that you should be able to bypass the problems by changing the exploit to call execve() with argv/envp setup. Am I incorrect here?
It's not bash the one responsible for the chars conversion, but the scanf() function itself. sin <sin () innocence-lost net> wrote:
As for not being able to return into envp like that, seeing as it's a CGI, it seems like that would depend on the method used by the webserver, IIRC get variables end up in the enviroment, and post variables come from stdin, so if it used get, it seems like you would be able too.
Ret-into-envp may be feasible locally, but i don't believe it would be possible to remotely control the envp in this case, though i've not tested it -- so i may be wrong. Victor Henriquez" <vhenriquez () grancanaria com> wrote:
You are right. I use your shellcode (http://www.0xdeadbeef.info/code/gets-linux.c) --removing 0x0b-- and now it work. But, Why do I need close stdin?
Because functions like scanf() and gets() use the fd 0 (stdin), and for some reason (i've not investigated this problem further after i found the special shellcode work-around) if you use them to trigger the buffer overflow you don't have control on stdin. This means that you can't properly execute an interactive shell without re-opening the tty, to gain access to all needed descriptors (0, 1, and 2) -- although other programs work just fine without stdin, e.g. try with /bin/ls instead of /bin/sh. Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Current thread:
- Problem exploiting a CGI overflow Víctor Henríquez (Nov 23)
- Re: Problem exploiting a CGI overflow sin (Nov 23)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 24)
- Re: Problem exploiting a CGI overflow sin (Nov 24)
- Re: Problem exploiting a CGI overflow Vlad902 (Nov 27)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 24)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 28)
- Re: Problem exploiting a CGI overflow sin (Nov 29)
- <Possible follow-ups>
- Re: Problem exploiting a CGI overflow Marco Ivaldi (Nov 24)
- Re: Problem exploiting a CGI overflow sin (Nov 28)
- Re: Problem exploiting a CGI overflow Marco Ivaldi (Nov 28)
- Re: Problem exploiting a CGI overflow sin (Nov 23)