| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Feb 2009 09:00:33 -0500
From: ArcSighter Elite <arcsighter@...il.com>
To: James Matthews <nytrokiss@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Exploiting buffer overflows via protected GCC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James Matthews wrote:
> I would recommend doing the following things.
>
> 1. Ask on the Ubuntu GCC list what protection is implemented. (Or just look
> at the source)
> 2. Use GCC to see where the execution is being redirected and so you can
> have a better visual of whats going on.
> 3. Are you sure the stack is executable?
>
>
>
> On Sat, Feb 14, 2009 at 12:30 AM, Marcus Meissner <meissner@...e.de> wrote:
>
>> On Fri, Feb 13, 2009 at 11:50:11AM -0500, Jason Starks wrote:
>>> I came across a problem that I am sure many security researchers have
>> seen
>>> before:
>>>
>>> jason@...o:~$ cat bof.c
>>> #include <stdio.h>
>>> #include <string.h>
>>>
>>> int main()
>>> {
>>>
>>> char buf[512];
>>>
>>> memset(buf, 'A', 528);
>>>
>>> return 0;
>>>
>>> }
>>> jason@...o:~$
>>>
>>> jason@...o:~$ ./bof
>>> *** stack smashing detected ***: ./bof terminated
>>> ======= Backtrace: =========
>>> /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f08548]
>>> jason@...o:~$
>>>
>>> I have googled my brains out for a solution, but all I have gathered is
>> that
>>> my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
>>> return address it also overwrites the canary's value, and triggers a stop
>> in
>>> the program. I've disassembled it and anybody who can help me probably
>>> doesn't need me to explain much more, but I would like to know a way to
>> get
>>> this. There seems to be some people on this list who may know something
>> on
>>> how to exploit on *nix systems with this protection enabled.
>>>
>>> I do not want to just disable the protection and exploit it normally, I
>> want
>>
>> Perhaps you should learn first exactly _what_ caught your buffer overflow.
>>
>> Hint: It was not SSP aka -fstack-protector.
>>
>> Ciao, Marcus
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Ubuntu and recent kernels also implement ASLR. So, that may be the
issue, besides StackGuard.
Sincerely.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFJmXGAH+KgkfcIQ8cRAmG0AJ0c9rFv2hd43oP2iR8EYCRC0gwKgwCYpXqo
1kRbO2tqcJ31JrUw3uNiRA==
=FGDQ
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists