Re: Buffer Overflow Experiment

From: Rick Zhong (sagiko@gmail.com)
Date: Fri Sep 14 2007 - 05:34:26 EDT

• Next message: Justin Ferguson: "Re: Buffer Overflow Experiment"
• Previous message: Jamie Riden: "Re: anonymous socks proxies ??"
• In reply to: Alcides: "Buffer Overflow Experiment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,
Since you are using Fedora, have you disabled kernel.exec-shield ?
the va randomize i.e. kernel.exec-shield-randomize is only one of the
exec-shield features... So you may want to disable the whole
exec-shiedl to test your code.

regards,
Rick

On 9/13/07, Alcides <alcides.hercules@gmail.com> wrote:
> Hi List,
> I was wondering if someone has already done this.
> I'm testing a small program written in C, especially coded for testing
> buffer overflow.
> In source code, I have assigned char buffer[512]; I compile with gcc and
> run on bash.
>
> As soon as I pass "512" characters as argument("A"x512--being precise),
> the program gives " Segmentation fault (core dumped )" -->as desired.
>
> 1] Using GDB debugger, it has been verified that the extended
> instruction pointer EIP has been overwritten, as expected.
> (EIP-->0x41414141)
> 2] But, on passing "513" chars. argument, the EIP becomes 0x0 -->WHY
> 3]On passing 520 chars. argument, EIP takes 'some' value and EBP
> becomes 0x41414141
> 4]Thereafter, every increment by 1 --> in input characters causes EIP to
> remain the same as that 'some' value and EBP to take various incremental
> values.
> every time, for several unit increments
>
> [I am using: 2.6.21-1.3194.fc7 kernel, i686, Disabled VA randomization]
>
> Any views that help me understand why EIP becomes 0, are welcome.
>
>
> Thanks.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Justin Ferguson: "Re: Buffer Overflow Experiment"
• Previous message: Jamie Riden: "Re: anonymous socks proxies ??"
• In reply to: Alcides: "Buffer Overflow Experiment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:07 EDT