Try typing "frame 7" and then do "i r" and see if you get the desired overwritten registers. Note that frame 7 has the eip overwritten with 0x41414141. #7 0x41414141 in ?? () Cannot access memory at address 0x41414141. -KF Ingram wrote: >hi folks, > >i recently found a possible vuln binary, which crashes with SIGSEV 11. >I think this binary (tool written by a friend of mine) is exploitable, but >the overflow is not happening in the register i expect them (or better, i >know >how to exploit ;) > >See the gdb dump: >++++++++++++++++++++++++++++++++++++++++++++++++++++++ >develop# gdb -core delimma.core >GNU gdb 4.18 (FreeBSD) >Copyright 1998 Free Software Foundation, Inc. >GDB is free software, covered by the GNU General Public License, and you are >welcome to change it and/or distribute copies of it under certain >conditions. >Type "show copying" to see the conditions. >There is absolutely no warranty for GDB. Type "show warranty" for details. >This GDB was configured as "i386-unknown-freebsd". >Core was generated by `delimma'. >Program terminated with signal 11, Segmentation fault. >#0 0x280f166b in ?? () >(gdb) i r >eax 0xbfbf33cc -1077988404 >ecx 0x41414141 1094795585 >edx 0xbfbf21dc -1077992996 >ebx 0x280fc00c 672120844 >esp 0xbfbf2158 0xbfbf2158 >ebp 0xbfbf2180 0xbfbf2180 >esi 0x280f7233 672100915 >edi 0x2 2 >eip 0x280f166b 0x280f166b >eflags 0x202 514 >cs 0x1f 31 >ss 0x2f 47 >ds 0x2f 47 >es 0x2f 47 >fs 0x2f 47 >gs 0x2f 47 >(gdb) bt >#0 0x280f166b in ?? () >#1 0x280d6664 in ?? () >#2 0x280d6858 in ?? () >#3 0x280d6d8c in ?? () >#4 0x280d12d9 in ?? () >#5 0x280d11d9 in ?? () >#6 0x804a8c2 in ?? () >#7 0x41414141 in ?? () >Cannot access memory at address 0x41414141. >(gdb) >++++++++++++++++++++++++++++++++++++++++++++++++++++++ > >As you can see, the 0x41 have overwritten 'ecx'. > >My questions: > >1) Is this exploitable? >2) What is ecx? >3) Whats the diff between having 0x41 in eax, ebp, eip or ecx? Are they >all exploitable? >4) What kind of exploit (if possible) i have to craft to exploit this >binary? > >many thanks in advantage! > > > >
This archive was generated by hypermail 2b30 : Fri May 23 2003 - 09:16:08 PDT