hi folks, i recently found a possible vuln binary, which crashes with SIGSEV 11. I think this binary (tool written by a friend of mine) is exploitable, but the overflow is not happening in the register i expect them (or better, i know how to exploit ;) See the gdb dump: ++++++++++++++++++++++++++++++++++++++++++++++++++++++ develop# gdb -core delimma.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd". Core was generated by `delimma'. Program terminated with signal 11, Segmentation fault. #0 0x280f166b in ?? () (gdb) i r eax 0xbfbf33cc -1077988404 ecx 0x41414141 1094795585 edx 0xbfbf21dc -1077992996 ebx 0x280fc00c 672120844 esp 0xbfbf2158 0xbfbf2158 ebp 0xbfbf2180 0xbfbf2180 esi 0x280f7233 672100915 edi 0x2 2 eip 0x280f166b 0x280f166b eflags 0x202 514 cs 0x1f 31 ss 0x2f 47 ds 0x2f 47 es 0x2f 47 fs 0x2f 47 gs 0x2f 47 (gdb) bt #0 0x280f166b in ?? () #1 0x280d6664 in ?? () #2 0x280d6858 in ?? () #3 0x280d6d8c in ?? () #4 0x280d12d9 in ?? () #5 0x280d11d9 in ?? () #6 0x804a8c2 in ?? () #7 0x41414141 in ?? () Cannot access memory at address 0x41414141. (gdb) ++++++++++++++++++++++++++++++++++++++++++++++++++++++ As you can see, the 0x41 have overwritten 'ecx'. My questions: 1) Is this exploitable? 2) What is ecx? 3) Whats the diff between having 0x41 in eax, ebp, eip or ecx? Are they all exploitable? 4) What kind of exploit (if possible) i have to craft to exploit this binary? many thanks in advantage! -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
This archive was generated by hypermail 2b30 : Fri May 23 2003 - 08:46:49 PDT