Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Exploiting buffer overflows via protected GCC
From: Jubei Trippataka <vpn.1.fanatic () gmail com>
Date: Tue, 17 Feb 2009 12:19:07 +1100

memset(buf, 'A', 528);

Don't do that.  This sort of "whoops" is exactly what the gcc SSP canary is
designed to stop.

I could comment on this, but... I'll leave it.

I have googled my brains out for a solution, but all I have gathered is
my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
return address it also overwrites the canary's value, and triggers a stop
the program. I've disassembled it and anybody who can help me probably
doesn't need me to explain much more, but I would like to know a way to
this. There seems to be some people on this list who may know something
how to exploit on *nix systems with this protection enabled.

What you want to do is be more precise in your splatting.  Instead of
one memset, see if you can come up with a way to do *two* memsets, which
leave your stack looking like:

     'AAAAAAAAA' (above the canary)
     <4 unmolested bytes of canary>
     'AAAAAAAAA' (below the canary)

Of course, if you're trying to exploit already-existing code, you probably
only have one memset/strcpy you can abuse, and the starting address of the
destination is already nailed down, which means you need to fill in the
4 bytes of canary correctly.  This means you need to find a way to obtain
the value so you can use it.  One hint - sometimes you're better off
the stack frame 2 or 3 function calls back, rather than the *current*

You commenting on exploitation is kind of like asking a deaf person what
their favorite song is. You obviously have no clue what you are talking
about due to the fact you offered absolutely no insight in to the protection
mechanism he was asking about, nor potential means of exploitation. Given
this the real question remains, do you actually believe you have any clue
about this stuff, or are you like Wallace and just want to post useless


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]