solaris gdb screen mayhem

From: Antonomasia (antat_private)
Date: Wed Aug 29 2001 - 14:51:52 PDT

  • Next message: c0nceptat_private: "Windows NT does not check permissions after HANDLEs are open"

    I've been attempting a white-hat "exploit" to run some demo code
    on the stack on Solaris.  The aim is to show whether the non-executable
    stack is in force (and the /etc/system file may not be a reliable guide
    to this if modified since last boot or something).
    
    So ideally I'd take a Solaris/sparc shellcode and modify "sh" to "id"
    and plant this in a program that deliberately overflows itself.  And this
    will be run on various machines periodically.
    
    My problems arise when:
    
       Having got "execution" of the illegal string "AAAAAAAA" I replace
       it with downloaded shellcode and this disturbs the exploit so it
       needs some adjustment.  I get a core dump from either SEGV or BUS
       and in trying to find the program state with gdb it throws garbage
       over the screen and is not recovered by "stty sane" or "reset".
       I suppose I could wrap gdb in perl and allow only filtered chars to
       my terminal.  What do other people do about this ?
    
       Execution on a non-executable stack gets a SEGV.   Is there a way
       the program can distinguish this from any other SEGV ?
    
       Self-choosing values for portability is likely to be a future
       puzzle if this is overcome.
    
    --
    ##############################################################
    # Antonomasia   ant notatla.demon.co.uk                      #
    # See http://www.notatla.demon.co.uk/                        #
    ##############################################################
    



    This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 22:08:03 PDT