lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 17 Feb 2009 12:19:07 +1100
From: Jubei Trippataka <vpn.1.fanatic@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Exploiting buffer overflows via protected GCC

>
>
> > memset(buf, 'A', 528);
>
> Don't do that.  This sort of "whoops" is exactly what the gcc SSP canary is
> designed to stop.
>

I could comment on this, but... I'll leave it.


>
> > I have googled my brains out for a solution, but all I have gathered is
> that
> > my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
> > return address it also overwrites the canary's value, and triggers a stop
> in
> > the program. I've disassembled it and anybody who can help me probably
> > doesn't need me to explain much more, but I would like to know a way to
> get
> > this. There seems to be some people on this list who may know something
> on
> > how to exploit on *nix systems with this protection enabled.
>
> What you want to do is be more precise in your splatting.  Instead of
> one memset, see if you can come up with a way to do *two* memsets, which
> leave your stack looking like:
>
>      'AAAAAAAAA' (above the canary)
>      <4 unmolested bytes of canary>
>      'AAAAAAAAA' (below the canary)
>
> Of course, if you're trying to exploit already-existing code, you probably
> only have one memset/strcpy you can abuse, and the starting address of the
> destination is already nailed down, which means you need to fill in the
> 4 bytes of canary correctly.  This means you need to find a way to obtain
> the value so you can use it.  One hint - sometimes you're better off
> targeting
> the stack frame 2 or 3 function calls back, rather than the *current*
> frame.
>
>
You commenting on exploitation is kind of like asking a deaf person what
their favorite song is. You obviously have no clue what you are talking
about due to the fact you offered absolutely no insight in to the protection
mechanism he was asking about, nor potential means of exploitation. Given
this the real question remains, do you actually believe you have any clue
about this stuff, or are you like Wallace and just want to post useless
shit?

-- 
ciao

JT

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ