Vulnerability Development mailing list archives
Re: Suse Linux 10.0 and 10.1 (EIP Overflow Questions)
From: kladizkov001 <fabin.gnu () gmail com>
Date: Mon, 26 Jun 2006 00:34:32 +0530
[21:00:fabin@debian:buffer_overflow]$ gdb ./overflow GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) b main Breakpoint 1 at 0x8048394: file overflow.c, line 3. (gdb) r Starting program: /home/fabin/documents/c/buffer_overflow/overflow Breakpoint 1, main () at overflow.c:3 3 strcpy (str1, (gdb) print str1 $1 = " 6\025@\020\204\004\bD\uffff" (gdb) x /50 str1 0xbffff9d0: 0x40153620 0x08048410 0xbffffa44 0x40153620 0xbffff9e0: 0x400164a0 0xbffffa44 0xbffffa18 0x40039dc6 0xbffff9f0: 0x00000001 0xbffffa44 0xbffffa4c 0x080482c0 0xbffffa00: 0x00000000 0x4000bbe0 0x40154b10 0x40016c00 0xbffffa10: 0x00000001 0x080482c0 0x00000000 0x080482e1 0xbffffa20: 0x08048384 0x00000001 0xbffffa44 0x080483b0 0xbffffa30: 0x08048410 0x4000c290 0xbffffa3c 0x00000000 0xbffffa40: 0x00000001 0xbffffb36 0x00000000 0xbffffb67 0xbffffa50: 0xbffffb77 0xbffffb82 0xbffffbbc 0xbffffbce 0xbffffa60: 0xbffffbd9 0xbffffe0e 0xbffffe3e 0xbffffe4d 0xbffffa70: 0xbffffe7d 0xbffffe88 0xbffffeda 0xbffffef0 0xbffffa80: 0xbffffefc 0xbfffff28 0xbfffff31 0xbfffff42 0xbffffa90: 0xbfffff4a 0xbfffff5b (gdb) n 6 } (gdb) print str1 $2 = "AAAAAAAAAA" (gdb) x /50 str1 0xbffff9d0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff9e0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff9f0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffa00: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffa10: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffa20: 0x00414141 0x00000001 0xbffffa44 0x080483b0 0xbffffa30: 0x08048410 0x4000c290 0xbffffa3c 0x00000000 0xbffffa40: 0x00000001 0xbffffb36 0x00000000 0xbffffb67 0xbffffa50: 0xbffffb77 0xbffffb82 0xbffffbbc 0xbffffbce 0xbffffa60: 0xbffffbd9 0xbffffe0e 0xbffffe3e 0xbffffe4d 0xbffffa70: 0xbffffe7d 0xbffffe88 0xbffffeda 0xbffffef0 0xbffffa80: 0xbffffefc 0xbfffff28 0xbfffff31 0xbfffff42 0xbffffa90: 0xbfffff4a 0xbfffff5b (gdb)This is the detailed output that can be obtained with your example code. Try to get one like this in SUSE.
Robert Hudock wrote:
Question: For some reason on suse 10.0 and 10.1 I cannot overflow the buffer so as to overwrite EIP no matter what. The attached code is a very simple example to illustrate my issue. Basically the following is what I get when the program segfaults on SuSE 10.1. However, the attached program produced the expected results 0x41414141 in main () on FreeBSD versions 5.3 and 6.1, on redhat 7.2 Any ideas why this is happening? ----------------------------------- plato@zion:~> gdb ./overflow GNU gdb 6.4 Copyright 2005 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-suse-linux"...Using host libthread_db library "/lib64/libthread_db.so.1". (gdb) run Starting program: /home/plato/overflow warning: Lowest section in system-supplied DSO at 0xffffe000 is .hash at ffffe0b4 Program received signal SIGSEGV, Segmentation fault. 0x080483ec in main () at overflow.c:6 6 }(gdb)------------------------------------------ Regards, Robert Hudock------------------------------------------------------------------------ main () { char str1[10];strcpy (str1, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");}
Current thread:
- Suse Linux 10.0 and 10.1 (EIP Overflow Questions) Robert Hudock (Jun 08)
- Re: Suse Linux 10.0 and 10.1 (EIP Overflow Questions) kladizkov001 (Jun 26)