From: Siim Põder (siim@p6drad-teel.net)
Date: Mon Jan 14 2008 - 19:04:35 EST
Yo!
E, 14. jaanuar, 16:11, Ronald van der Westen kirjutas:
> Debian 2.6.18 is using Address Space Randomization, this means that
> your stack will be at another address every run. It is not possible to
> exploit this with a hardcoded return address.
linux-gate.so may contain a jmp esp, in which case it could be possible to
exploit this with hardcoded return address. see
http://www.milw0rm.com/papers/55 .
> On 10 Jan 2008 02:09:46 -0000, <loki6@orange.nl> wrote:
>> The first time I tried today it overflowed the EIP correctly and I
>> didn't change anything.
>>
>>
>> ECX is 0x41414141 and
>>
>> ESP is 0x4141413d
you have changed esp and the ret will read the wrong return address. to
make it easier, in the beginning try to:
1) turn of stack randomization (sysctl kermel.va_randomize_space=0)
2) move the overflow to a separate function (call dostuff(argv) and put
the buffer and the strcat into that function) - that way it's easier to
debug it . see where the call writes the eip and nexti through your
function to see how the buffer is overwritten and ret changed etc.
>>
>> EBP is 0xbf004141
>>
>>
>> Since stack and frame pointer both have 41 in them I figure part of them
>> is overflowed. Why not the Extended Instruction Pointer?
>>
>>
>> I was wondering if someone was able to help me with this, because I
>> really want to get the hang of this.
>>
>>
>> I don't know if I got the NOP sled and return address right either,
>> because when using GDB:
>>
>>
>>
>> x/s $esp
>>
>>
>> I get:
>>
>>
>> 0x4141413d: <Address 0x4141413d out of bounds
>>
>>
>> I'm kinda stuck from there.
>>
>>
>> My problem in short:
>>
>>
>> - How do I get a reliable return address with GDB
without stack randomization just step through the code once and note where
your shellcode gets written. with stack randomization you have to use
tricks (look for it on google)
>> - How do I determine the length of the NOP sled
nop sled is only useful for brute forcing, afaiak
>> - How do I test shellcode
jmp shellcode
-- siim ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT