mailing list archives
Re: Exploiting buffer overflows via protected GCC
From: Valdis.Kletnieks () vt edu
Date: Fri, 13 Feb 2009 12:28:05 -0500
On Fri, 13 Feb 2009 11:50:11 EST, Jason Starks said:
memset(buf, 'A', 528);
Don't do that. This sort of "whoops" is exactly what the gcc SSP canary is
designed to stop.
I have googled my brains out for a solution, but all I have gathered is that
my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
return address it also overwrites the canary's value, and triggers a stop in
the program. I've disassembled it and anybody who can help me probably
doesn't need me to explain much more, but I would like to know a way to get
this. There seems to be some people on this list who may know something on
how to exploit on *nix systems with this protection enabled.
What you want to do is be more precise in your splatting. Instead of
one memset, see if you can come up with a way to do *two* memsets, which
leave your stack looking like:
'AAAAAAAAA' (above the canary)
<4 unmolested bytes of canary>
'AAAAAAAAA' (below the canary)
Of course, if you're trying to exploit already-existing code, you probably
only have one memset/strcpy you can abuse, and the starting address of the
destination is already nailed down, which means you need to fill in the
4 bytes of canary correctly. This means you need to find a way to obtain
the value so you can use it. One hint - sometimes you're better off targeting
the stack frame 2 or 3 function calls back, rather than the *current* frame.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/