Re: Is this exploitable?

From: KF (dotslashat_private)
Date: Fri May 23 2003 - 09:44:25 PDT

Next message: sin: "Re: Is this exploitable?"

Previous message: Ingram: "Is this exploitable?"
In reply to: Ingram: "Is this exploitable?"
Next in thread: sin: "Re: Is this exploitable?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Try typing "frame 7" and then do "i r"  and see if you get the desired 
overwritten registers. Note that frame 7 has the eip overwritten with 
0x41414141.

#7  0x41414141 in ?? ()
Cannot access memory at address 0x41414141.


-KF


Ingram wrote:

>hi folks,
>
>i recently found a possible vuln binary, which crashes with SIGSEV 11.
>I think this binary (tool written by a friend of mine) is exploitable, but 
>the overflow is not happening in the register i expect them (or better, i
>know
>how to exploit ;)
>
>See the gdb dump:
>++++++++++++++++++++++++++++++++++++++++++++++++++++++
>develop# gdb -core delimma.core
>GNU gdb 4.18 (FreeBSD)
>Copyright 1998 Free Software Foundation, Inc.
>GDB is free software, covered by the GNU General Public License, and you are
>welcome to change it and/or distribute copies of it under certain
>conditions.
>Type "show copying" to see the conditions.
>There is absolutely no warranty for GDB.  Type "show warranty" for details.
>This GDB was configured as "i386-unknown-freebsd".
>Core was generated by `delimma'.
>Program terminated with signal 11, Segmentation fault.
>#0  0x280f166b in ?? ()
>(gdb) i r
>eax            0xbfbf33cc       -1077988404
>ecx            0x41414141       1094795585
>edx            0xbfbf21dc       -1077992996
>ebx            0x280fc00c       672120844
>esp            0xbfbf2158       0xbfbf2158
>ebp            0xbfbf2180       0xbfbf2180
>esi            0x280f7233       672100915
>edi            0x2      2
>eip            0x280f166b       0x280f166b
>eflags         0x202    514
>cs             0x1f     31
>ss             0x2f     47
>ds             0x2f     47
>es             0x2f     47
>fs             0x2f     47
>gs             0x2f     47
>(gdb) bt
>#0  0x280f166b in ?? ()
>#1  0x280d6664 in ?? ()
>#2  0x280d6858 in ?? ()
>#3  0x280d6d8c in ?? ()
>#4  0x280d12d9 in ?? ()
>#5  0x280d11d9 in ?? ()
>#6  0x804a8c2 in ?? ()
>#7  0x41414141 in ?? ()
>Cannot access memory at address 0x41414141.
>(gdb)
>++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>As you can see, the 0x41 have overwritten 'ecx'.
>
>My questions:
>
>1) Is this exploitable?
>2) What is ecx? 
>3) Whats the diff between having 0x41 in eax, ebp, eip or ecx? Are they
>all exploitable?
>4) What kind of exploit (if possible) i have to craft to exploit this
>binary?
>
>many thanks in advantage!
>
>
>  
>

Next message: sin: "Re: Is this exploitable?"
Previous message: Ingram: "Is this exploitable?"
In reply to: Ingram: "Is this exploitable?"
Next in thread: sin: "Re: Is this exploitable?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 23 2003 - 09:16:08 PDT