| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4a5ccb770909221728j36657267l572558ecfa428594@mail.gmail.com>
Date: Tue, 22 Sep 2009 20:28:16 -0400
From: Lucus Rife <lucus.rife@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Executing Code on Linux/x86 with ASLR+GCC4
Protections
Debian/Ubuntu latest with updates...
(gdb) shell cat bof.c
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
if(argc < 2) return 0;
char buf[128];
strcpy(buf, argv[1]);
return 0;
}
(gdb) r `perl -e 'print "BABA" x 74'`
Starting program: /home/rife/bof `perl -e 'print "BABA" x 74'`
Program received signal SIGSEGV, Segmentation fault.
0xb7e355eb in strlen () from /lib/tls/i686/cmov/libc.so.6
(gdb) info r
eax 0x41424142 1094861122
ecx 0x2 2
edx 0xbfc557b8 -1077585992
ebx 0xb7f1cff4 -1208889356
esp 0xbfc5520c 0xbfc5520c
ebp 0xbfc557a4 0xbfc557a4
esi 0x41424142 1094861122
edi 0xb7f008b2 -1209005902
eip 0xb7e355eb 0xb7e355eb <strlen+11>
eflags 0x210202 [ IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
This is as far as I've gone. Is there some way to point EAX or better than
that, ESI, to our payload and execute code?
Is there a way in any situation if we overwrite ESI to make it execute code?
Surely to God someone on this list knows something..
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists