lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Feb 2009 12:28:05 -0500
From: Valdis.Kletnieks@...edu
To: Jason Starks <jstarks440@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Exploiting buffer overflows via protected GCC

On Fri, 13 Feb 2009 11:50:11 EST, Jason Starks said:

> memset(buf, 'A', 528);

Don't do that.  This sort of "whoops" is exactly what the gcc SSP canary is
designed to stop.

> I have googled my brains out for a solution, but all I have gathered is that
> my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
> return address it also overwrites the canary's value, and triggers a stop in
> the program. I've disassembled it and anybody who can help me probably
> doesn't need me to explain much more, but I would like to know a way to get
> this. There seems to be some people on this list who may know something on
> how to exploit on *nix systems with this protection enabled.

What you want to do is be more precise in your splatting.  Instead of
one memset, see if you can come up with a way to do *two* memsets, which
leave your stack looking like:

      'AAAAAAAAA' (above the canary)
      <4 unmolested bytes of canary>
      'AAAAAAAAA' (below the canary)

Of course, if you're trying to exploit already-existing code, you probably
only have one memset/strcpy you can abuse, and the starting address of the
destination is already nailed down, which means you need to fill in the
4 bytes of canary correctly.  This means you need to find a way to obtain
the value so you can use it.  One hint - sometimes you're better off targeting
the stack frame 2 or 3 function calls back, rather than the *current* frame.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ