Re: exploiting a binary if %edi can be overwritten?

From: avelat_private
Date: Tue Jun 24 2003 - 07:44:28 PDT
Next message: ta0: "Windows Shellcode Writing"
Previous message: flur: "crashing explorer with file properties"
Next in thread: andrewgat_private: "Re: exploiting a binary if %edi can be overwritten?"
Reply: andrewgat_private: "Re: exploiting a binary if %edi can be overwritten?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Possibly, but doubtful given what i shown. Depending on the assembly of
> what would give us later on, it may allow it.
.
.
.
> 
> With that, want to try gdb mybinary mybinary.core and do something like
> x/10i ? 


Ok, here's the gdb mybinary mybinary.core:

>gdb mybinary mybinary.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(no debugging symbols found)...
Core was generated by `mybinary'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/libvga.so.1...
(no debugging symbols found)...done.
Reading symbols from /usr/local/lib/libvgagl.so.1...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols
found)...done.
Reading symbols from /usr/lib/libm.so.2...(no debugging symbols
found)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols
found)...
done.
#0  0x2813ecfa in vfprintf () from /usr/lib/libc.so.4
(gdb) x/10i
0x0:    Cannot access memory at address 0x0.
(gdb) x/10i $pc
0x2813ecfa <vfprintf+3990>:     repnz scas %es:(%edi),%al
0x2813ecfc <vfprintf+3992>:     mov    %ecx,%eax
0x2813ecfe <vfprintf+3994>:     not    %eax
0x2813ed00 <vfprintf+3996>:     lea    0xffffffff(%eax),%edi
0x2813ed03 <vfprintf+3999>:     jmp    0x2813f0e6 <vfprintf+4994>
0x2813ed08 <vfprintf+4004>:     orb    $0x10,0xfffffe00(%ebp)
0x2813ed0f <vfprintf+4011>:     mov    0xfffffe00(%ebp),%edx
0x2813ed15 <vfprintf+4017>:     test   $0x20,%dl
0x2813ed18 <vfprintf+4020>:     je     0x2813ed74 <vfprintf+4112>
0x2813ed1a <vfprintf+4022>:     cmpl   $0x0,0xfffffe24(%ebp)
(gdb)

>What happens if you overwrite 10000 bytes instead?

The same, no changes in regs or asm output.

> What does {k,s,l}trace show?

>ktrace mybinary `perl -e 'print "A" x 10000'` (too much to post, please
specify what you need):
.
.
.
   167 mybinary RET   write 37/0x25
   167 mybinary CALL  getuid
   167 mybinary RET   getuid 0
   167 mybinary CALL  setuid(0)
   167 mybinary RET   setuid 0
   167 mybinary CALL  getgid
   167 mybinary RET   getgid 0
   167 mybinary CALL  setgid(0)
   167 mybinary RET   setgid 0
   167 mybinary CALL  getuid
   167 mybinary RET   getuid 0
   167 mybinary CALL  seteuid(0)
   167 mybinary RET   seteuid 0
   167 mybinary CALL  getgid
   167 mybinary RET   getgid 0
   167 mybinary CALL  setegid(0)
   167 mybinary RET   setegid 0
   167 mybinary PSIG  SIGSEGV SIG_DFL
   167 mybinary NAMI  "mybinary.core"

strace is also much to post, but should be fine:
>strace ./mybinary `perl -e 'print "A" x 10000'`

execve("./mybinary", ["./mybinary", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...],
[/* 23 vars */]) = 0
mmap(0, 1976, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x28066000
munmap(0x28066000, 1976)                = 0
__sysctl([hw.pagesize], 2, "\0\20\0\0", [4], NULL, 0) = 0
mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) =
0x28066000
geteuid(0xbfbfd4b4)                     = 0
getuid()                                = 0 (euid 0)
getegid(0xbfbfd4b4)                     = 0
getgid()                                = 0 (egid 0)
open("/var/run/ld-elf.so.hints", O_RDONLY) = 3
read(3, "Ehnt\1\0\0\0\200\0\0\0007\0\0\0\0\0\0\0006\0\0\0\0\0\0"..., 128) =
128
lseek(3, 128, SEEK_SET)                 = 128
read(3, "/usr/lib:/usr/lib/compat:/usr/X1"..., 55) = 55
close(3)                                = 0
access("/usr/lib/libvga.so.1", F_OK)    = -1 ENOENT (No such file or
directory)
access("/usr/lib/compat/libvga.so.1", F_OK) = -1 ENOENT (No such file or
directory)
access("/usr/X11R6/lib/libvga.so.1", F_OK) = -1 ENOENT (No such file or
directory)
access("/usr/local/lib/libvga.so.1", F_OK) = 0
open("/usr/local/lib/libvga.so.1", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=315348, ...}) = 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\324|\0"..., 4096) =
4096
mmap(0, 331776, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) =
0x2806e000
mprotect(0x280b4000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x280b4000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x280b5000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x46000) = 0x280b5000
mmap(0x280bb000, 16384, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0x280bb000
close(3)                                = 0
access("/usr/lib/libvgagl.so.1", F_OK)  = -1 ENOENT (No such file or
directory)
access("/usr/lib/compat/libvgagl.so.1", F_OK) = -1 ENOENT (No such file or
directory)
access("/usr/X11R6/lib/libvgagl.so.1", F_OK) = -1 ENOENT (No such file or
directory)
access("/usr/local/lib/libvgagl.so.1", F_OK) = 0
open("/usr/local/lib/libvgagl.so.1", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=52620, ...}) = 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0H+\0\000"..., 4096)
= 4096
mmap(0, 57344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) =
0x280bf000
mprotect(0x280ca000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x280ca000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x280cb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0xb000) = 0x280cb000
close(3)                                = 0
access("/usr/lib/libc.so.4", F_OK)      = 0
open("/usr/lib/libc.so.4", O_RDONLY)    = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=567860, ...}) = 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\224\'\1"..., 4096)
= 4096
mmap(0, 618496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) =
0x280cd000
mprotect(0x2814c000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x2814c000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x2814d000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x7f000) = 0x2814d000
mmap(0x28151000, 77824, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0x28151000
close(3)                                = 0
access("/usr/lib/libm.so.2", F_OK)      = 0
open("/usr/lib/libm.so.2", O_RDONLY)    = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=102192, ...}) = 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0L0\0\000"..., 4096)
= 4096
mmap(0, 98304, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) =
0x28164000
mprotect(0x28179000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x28179000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x2817a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x15000) = 0x2817a000
close(3)                                = 0
mmap(0, 560, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 560)                 = 0
mmap(0, 3848, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 3848)                = 0
mmap(0, 1648, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 1648)                = 0
mmap(0, 13312, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 13312)               = 0
mmap(0, 2208, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 2208)                = 0
sigaction(SIGILL, {0x280566d0, [], 0}, {SIG_DFL}) = 0
sigprocmask(SIG_BLOCK, NULL, [])        = 0
sigaction(SIGILL, {SIG_DFL}, NULL)      = 0
sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) = 0
sigprocmask(SIG_SETMASK, [], NULL)      = 0
stat("/proc/bus/pci", 0xbfbfd320)       = -1 ENOENT (No such file or
directory)
open("/usr/local/etc/vga/libvga.config", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0
readlink("/etc/malloc.conf", 0xbfbf92b0, 63) = -1 ENOENT (No such file or
directory)
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) =
0x2817c000
break(0x809f000)                        = 0
break(0x80a3000)                        = 0
read(3, "# Configuration file for svgalib"..., 16384) = 15925
close(3)                                = 0
open("/root/.svgalibrc", O_RDONLY)      = -1 ENOENT (No such file or
directory)
open("/dev/io", O_RDONLY)               = 3
fcntl(0, F_GETFD)                       = 0
fcntl(1, F_GETFD)                       = 0
fcntl(2, F_GETFD)                       = 0
open("/dev/mem", O_RDWR)                = 4
fcntl(0, F_GETFD)                       = 0
fcntl(1, F_GETFD)                       = 0
fcntl(2, F_GETFD)                       = 0
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(5, 0), ...}) = 0
ioctl(0, VT_GETMODE, 0xbfbfd288)        = -1 ENOTTY (Inappropriate ioctl for
device)
fstat(1, {st_mode=S_IFREG|0644, st_size=5769, ...}) = 0
ioctl(1, VT_GETMODE, 0xbfbfd288)        = -1 ENOTTY (Inappropriate ioctl for
device)
fstat(2, {st_mode=S_IFREG|0644, st_size=5910, ...}) = 0
ioctl(2, VT_GETMODE, 0xbfbfd288)        = -1 ENOTTY (Inappropriate ioctl for
device)
open("/dev/console", O_RDWR)            = 5
ioctl(5, VT_OPENQRY, 0x280b6a08)        = 0
close(5)                                = 0
getppid(0x8)                            = 4846
setpgid(0, 4846)                        = 0
setsid()                                = 4848
open("/dev/ttyv8", O_RDWR)              = 5
ioctl(5, VT_GETACTIVE, 0xbfbfd284)      = 0
getuid()                                = 0 (euid 0)
fstat(1, {st_mode=S_IFREG|0644, st_size=6462, ...}) = 0
write(1, "[svgalib: allocated virtual cons"..., 40[svgalib: allocated
virtual console #9]
) = 40
close(0)                                = 0
close(1)                                = 0
close(2)                                = 0
dup(5)                                  = 0
dup(5)                                  = 1
dup(5)                                  = 2
write(2, "\33[H\33[J", 6)               = 6
open("/dev/mem", O_RDONLY)              = 6
__sysctl([hw.pagesize], 2, "\0\20\0\0", [4], NULL, 0) = 0
break(0x80a5000)                        = 0
mmap(0x80a3000, 4096, PROT_READ, MAP_SHARED|MAP_FIXED, 6, 0xc0000) =
0x80a3000
close(6)                                = 0
break(0x80a7000)                        = 0
mmap(0x80a5000, 4096, PROT_READ, MAP_SHARED|MAP_FIXED, 4, 0xc0000) =
0x80a5000
munmap(0x80a5000, 4096)                 = 0
mmap(0, 65536, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0xa0000) = 0x2817d000
mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0xb8000) = 0x2818d000
close(4)                                = 0
open("/usr/local/etc/vga/libvga.config", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0
break(0x80ab000)                        = 0
read(4, "# Configuration file for svgalib"..., 16384) = 15925
close(4)                                = 0
open("/root/.svgalibrc", O_RDONLY)      = -1 ENOENT (No such file or
directory)
fcntl(0, F_GETFD)                       = 0
fcntl(1, F_GETFD)                       = 0
fcntl(2, F_GETFD)                       = 0
open("/dev/mouse", O_RDWR|O_NONBLOCK)   = -1 ENOENT (No such file or
directory)
setuid(0)                               = 0
getgid()                                = 0 (egid 0)
setgid(0)                               = 0
getuid()                                = 0 (euid 0)
seteuid(0)                              = 0
getgid()                                = 0 (egid 0)
setegid(0)                              = 0
--- SIGSEGV (Segmentation fault) ---
--- SIGSEGV (Segmentation fault) ---


and finally ltrace:
>ltrace ./mybinary `perl -e 'print "A" x 10000'`

atexit(0x28054e2c)                                = 0
atexit(0x0804f694)                                = 0
vga_init(2, 0xbfbfd4c0, 0xbfbfd4cc, 0x28068300, 0xbfbfd36c[svgalib:
allocated virtual console #9]
) = 0
sscanf(0xbfbfd5af, 0x0804f928, 0x0809d540, 0x0809d644, 0) = 1
fprintf(0x2814fe90, "\nusage: %s [<options>] <host>:<"...,
"EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF".
.. <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++


still thanks a lot to anyone helping me with that topic!

regards
avel

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Next message: ta0: "Windows Shellcode Writing"
Previous message: flur: "crashing explorer with file properties"
Next in thread: andrewgat_private: "Re: exploiting a binary if %edi can be overwritten?"
Reply: andrewgat_private: "Re: exploiting a binary if %edi can be overwritten?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 16:24:26 PDT