lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <49997181.8040407@gmail.com>
Date: Mon, 16 Feb 2009 09:00:33 -0500
From: ArcSighter Elite <arcsighter@...il.com>
To: James Matthews <nytrokiss@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Exploiting buffer overflows via protected GCC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James Matthews wrote:
> I would recommend doing the following things.
> 
> 1. Ask on the Ubuntu GCC list what protection is implemented. (Or just look
> at the source)
> 2. Use GCC to see where the execution is being redirected and so you can
> have a better visual of whats going on.
> 3. Are you sure the stack is executable?
> 
> 
> 
> On Sat, Feb 14, 2009 at 12:30 AM, Marcus Meissner <meissner@...e.de> wrote:
> 
>> On Fri, Feb 13, 2009 at 11:50:11AM -0500, Jason Starks wrote:
>>> I came across a problem that I am sure many security researchers have
>> seen
>>> before:
>>>
>>> jason@...o:~$ cat bof.c
>>> #include <stdio.h>
>>> #include <string.h>
>>>
>>> int main()
>>> {
>>>
>>> char buf[512];
>>>
>>> memset(buf, 'A', 528);
>>>
>>> return 0;
>>>
>>> }
>>> jason@...o:~$
>>>
>>> jason@...o:~$ ./bof
>>> *** stack smashing detected ***: ./bof terminated
>>> ======= Backtrace: =========
>>> /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f08548]
>>> jason@...o:~$
>>>
>>> I have googled my brains out for a solution, but all I have gathered is
>> that
>>> my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
>>> return address it also overwrites the canary's value, and triggers a stop
>> in
>>> the program. I've disassembled it and anybody who can help me probably
>>> doesn't need me to explain much more, but I would like to know a way to
>> get
>>> this. There seems to be some people on this list who may know something
>> on
>>> how to exploit on *nix systems with this protection enabled.
>>>
>>> I do not want to just disable the protection and exploit it normally, I
>> want
>>
>> Perhaps you should learn first exactly _what_ caught your buffer overflow.
>>
>> Hint: It was not SSP aka -fstack-protector.
>>
>> Ciao, Marcus
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Ubuntu and recent kernels also implement ASLR. So, that may be the
issue, besides StackGuard.

Sincerely.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD4DBQFJmXGAH+KgkfcIQ8cRAmG0AJ0c9rFv2hd43oP2iR8EYCRC0gwKgwCYpXqo
1kRbO2tqcJ31JrUw3uNiRA==
=FGDQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ