| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Sep 2009 01:18:19 -0700
From: "Jeremi Gosney" <Jeremi.Gosney@...ricity.com>
To: "Lucus Rife" <lucus.rife@...glemail.com>,
<full-disclosure@...ts.grok.org.uk>
Subject: Re: Executing Code on Linux/x86 with
ASLR+GCC4Protections
are you positive you have a kernel patched for aslr on this host? debian and ubuntu do not ship with aslr. you will have to manually patch your kernel with something like PaX to gain that functionality.
it doesn't really matter. from your question I can tell you do not yet fully understand the mechanics of a buffer overflow. the goal is to gain control a function's return address by overwriting eip. you've already overwritten the registers you are asking if you can overwrite; if you bother to look at your gdb output, you'll see that you've of course already written 'BABA' to esi and eax. so I guess to directly answer your question... no.
what you're seeing below is the effect of compile-time stack protection, not aslr. how do I know? because eip never changed. with aslr, you will likely be able to overwrite eip, but you will not know the address to return to in order to execute the stack since the stack is randomized at runtime. the compile-time stack protection method used (StackGuard, ProPolice, StackShield, etc) will determine which method you will use to defeat it, as each take separate approaches to protecting eip. there are ways to defeat each of the various stack protection methods, but the below program is likely too simple to exploit since we don't have a pointer we can manipulate. they are more useful against real-world examples.
you should probably read this first:
http://www.phrack.org/issues.html?issue=49&id=14#article
further reading:
http://www.phrack.org/issues.html?issue=56&id=5#article
http://www.phrack.org/issues.html?issue=59&id=9#article
- epixoip
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Lucus Rife
Sent: Tuesday, September 22, 2009 5:28 PM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Executing Code on Linux/x86 with ASLR+GCC4Protections
Debian/Ubuntu latest with updates...
(gdb) shell cat bof.c
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
if(argc < 2) return 0;
char buf[128];
strcpy(buf, argv[1]);
return 0;
}
(gdb) r `perl -e 'print "BABA" x 74'`
Starting program: /home/rife/bof `perl -e 'print "BABA" x 74'`
Program received signal SIGSEGV, Segmentation fault.
0xb7e355eb in strlen () from /lib/tls/i686/cmov/libc.so.6
(gdb) info r
eax 0x41424142 1094861122
ecx 0x2 2
edx 0xbfc557b8 -1077585992
ebx 0xb7f1cff4 -1208889356
esp 0xbfc5520c 0xbfc5520c
ebp 0xbfc557a4 0xbfc557a4
esi 0x41424142 1094861122
edi 0xb7f008b2 -1209005902
eip 0xb7e355eb 0xb7e355eb <strlen+11>
eflags 0x210202 [ IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
This is as far as I've gone. Is there some way to point EAX or better than that, ESI, to our payload and execute code?
Is there a way in any situation if we overwrite ESI to make it execute code?
Surely to God someone on this list knows something..
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists