Re: solaris gdb screen mayhem

From: Dave Aitel (daitelat_private)
Date: Thu Aug 30 2001 - 09:01:36 PDT

Next message: Norman Cook: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"

Previous message: Michael Wojcik: "RE: Windows NT does not check permissions after HANDLEs are open"
In reply to: Antonomasia: "solaris gdb screen mayhem"
Next in thread: wwieserat_private: "Re: solaris gdb screen mayhem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Throw some easy shellcode into the following little program (just write your
assembly in sub1() and you should have no problems with it getting all
messed up when you're doing your demos.) Fun as an overflow is to write,
you're probably better off just using a function pointer call (see main())
to demonstrate executability or non executability.

OR you could just load up any program in gdb and set $pc=$sp where $sp is
pointing to a nop of some sort, and do a si.

OR you could use adb and actually peek at the variable in kernel memory (if
you're root.)

ALSO don't forget "(gdb) maintanance info sections."

-dave

sub1()
{
/*insert your shellcode asm here*/
asm("

");

}

int
main()
{

  unsigned char buffer[4000];
  char * p;
  memcpy(buffer,sub1,400);
  p=buffer;
  ((void(*)())(p)) ();

}


Antonomasia wrote:

> I've been attempting a white-hat "exploit" to run some demo code
> on the stack on Solaris.  The aim is to show whether the non-executable
> stack is in force (and the /etc/system file may not be a reliable guide
> to this if modified since last boot or something).
>
> So ideally I'd take a Solaris/sparc shellcode and modify "sh" to "id"
> and plant this in a program that deliberately overflows itself.  And this
> will be run on various machines periodically.
>
> My problems arise when:
>
>    Having got "execution" of the illegal string "AAAAAAAA" I replace
>    it with downloaded shellcode and this disturbs the exploit so it
>    needs some adjustment.  I get a core dump from either SEGV or BUS
>    and in trying to find the program state with gdb it throws garbage
>    over the screen and is not recovered by "stty sane" or "reset".
>    I suppose I could wrap gdb in perl and allow only filtered chars to
>    my terminal.  What do other people do about this ?
>
>    Execution on a non-executable stack gets a SEGV.   Is there a way
>    the program can distinguish this from any other SEGV ?
>
>    Self-choosing values for portability is likely to be a future
>    puzzle if this is overcome.
>
> --
> ##############################################################
> # Antonomasia   ant notatla.demon.co.uk                      #
> # See http://www.notatla.demon.co.uk/                        #
> ##############################################################

Next message: Norman Cook: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
Previous message: Michael Wojcik: "RE: Windows NT does not check permissions after HANDLEs are open"
In reply to: Antonomasia: "solaris gdb screen mayhem"
Next in thread: wwieserat_private: "Re: solaris gdb screen mayhem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 09:16:28 PDT