Re: solaris gdb screen mayhem

From: corecode (corecodeat_private)
Date: Thu Aug 30 2001 - 07:21:26 PDT

  • Next message: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"

    At 09:51 PM 8/29/2001, Antonomasia wrote:
    
    >I've been attempting a white-hat "exploit" to run some demo code
    >on the stack on Solaris.  The aim is to show whether the non-executable
    >stack is in force (and the /etc/system file may not be a reliable guide
    >to this if modified since last boot or something).
    >
    >So ideally I'd take a Solaris/sparc shellcode and modify "sh" to "id"
    >and plant this in a program that deliberately overflows itself.  And this
    >will be run on various machines periodically.
    
    nice idea... so you want to check if your boxes are still in 
    non-executable-stack state?
    but you should write the "shellcode" on your own to fit your purposes. you 
    don't need a shellcode.
    
    
    >My problems arise when:
    >
    >    Having got "execution" of the illegal string "AAAAAAAA" I replace
    >    it with downloaded shellcode and this disturbs the exploit so it
    >    needs some adjustment.  I get a core dump from either SEGV or BUS
    >    and in trying to find the program state with gdb it throws garbage
    >    over the screen and is not recovered by "stty sane" or "reset".
    >    I suppose I could wrap gdb in perl and allow only filtered chars to
    >    my terminal.  What do other people do about this ?
    >
    >    Execution on a non-executable stack gets a SEGV.   Is there a way
    >    the program can distinguish this from any other SEGV ?
    
    why don't you try this one: it would be enough to call exit(1) in the 
    "shellcode". so if the code on the stack gets executed, the program will 
    return 1 (== shell false). install a signal(SIGSEGV) and signal(SIGBUS) 
    handler that will exit(0);
    
    good idea?
    
    cheerz
       corecode
    
    --
    http://www.eikon.tum.de/~simons/security/
    



    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 08:21:40 PDT