hi community, i have a buffer overflow question. If i have a binary (no src available) that i can crash with a too long string, so that %edi is set 0x41414141 (means i could control it)... can i craft the buffer so that the adress in %edi is actually jumped to? If i put in a malformed addr (like above) the proc segfaults, if i put in a valid (like addr of my shellcode) it gets executed normally (thats why i think i have to restore/push/pop %edi to another register somehow... but how?) I theory i'd like to do something like restoring the addr i have written to the place were %edi is to some other register, which would jmp to the addr given by me. I just dunno, _where_ to write _what_ to accomplish that. Maybe push %edi and ret in opcodes (but where? infront of my shellcode won't make much sense, since the prog won't jmp there...)? ...is this exploitable at all? # ./mybinary `perl -e 'print "A" x 5000'` Segmentation fault (core dumped) # gdb -core mybinary.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd". Core was generated by `mybinary'. Program terminated with signal 11, Segmentation fault. #0 0x2813ecfa in ?? () (gdb) bt #0 0x2813ecfa in ?? () #1 0x2813dae9 in ?? () #2 0x2813de32 in ?? () #3 0x2813da25 in ?? () #4 0x8049123 in ?? () #5 0x8049831 in ?? () #6 0x804cd19 in ?? () #7 0x804906a in ?? () (gdb) i reg eax 0x0 0 ecx 0xffffffff -1 edx 0x2813ec4c 672394316 ebx 0x2815000c 672464908 esp 0xbfbfdd48 0xbfbfdd48 ebp 0xbfbfdfa0 0xbfbfdfa0 esi 0x8 8 edi 0x41414141 1094795585 eip 0x2813ecfa 0x2813ecfa eflags 0x3286 12934 cs 0x1f 31 ss 0x2f 47 ds 0x2f 47 es 0x2f 47 fs 0x2f 47 gs 0x2f 47 (gdb) x/10i $pc 0x2813ecfa: Cannot access memory at address 0x2813ecfa. (gdb) x/10i $eax 0x0: Cannot access memory at address 0x0. (gdb) x/10i $ecx 0xffffffff: Cannot access memory at address 0xffffffff. (gdb) x/10i $ebx 0x2815000c: push %esp 0x2815000d: das 0x2815000e: or %al,(%eax) 0x28150010: add %al,0x34502806(%ebx) 0x28150016: add $0xdcfba28,%eax 0x2815001b: sub %cl,%dl 0x2815001d: iret 0x2815001e: or $0xdcfda28,%eax 0x28150023: sub %ch,%dl 0x28150025: iret (gdb) x/10i $esp 0xbfbfdd48: or $0x0,%al 0xbfbfdd4a: adc $0x14fe9028,%eax 0xbfbfdd4f: sub %bl,%al 0xbfbfdd51: jecxz 0xbfbfdd12 0xbfbfdd53: mov $0x20202020,%edi 0xbfbfdd58: and %ah,(%eax) 0xbfbfdd5a: and %ah,(%eax) 0xbfbfdd5c: mov %ds,%edi 0xbfbfdd5e: mov $0xbfe6e0bf,%edi 0xbfbfdd63: mov $0x2,%edi (gdb) x/10i $ebp 0xbfbfdfa0: xor %ah,%ah 0xbfbfdfa2: mov $0x13dae9bf,%edi 0xbfbfdfa7: sub %bl,%al 0xbfbfdfa9: jecxz 0xbfbfdf6a 0xbfbfdfab: mov $0x804f6c0,%edi 0xbfbfdfb0: in $0xe6,%al 0xbfbfdfb2: mov $0x13da89bf,%edi 0xbfbfdfb7: sub %cl,(%eax,%eax,1) 0xbfbfdfba: adc $0xbfe84028,%eax 0xbfbfdfbf: mov $0xbfbfe84c,%edi (gdb) x/10i $esi 0x8: Cannot access memory at address 0x8. (gdb) x/10i $edi 0x41414141: Cannot access memory at address 0x41414141. (gdb) x/10i $eip 0x2813ecfa: Cannot access memory at address 0x2813ecfa. (gdb) Thanks for any help with that topic! avel -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
This archive was generated by hypermail 2b30 : Mon Jun 23 2003 - 10:50:59 PDT