Home page logo
/

metasploit logo Metasploit mailing list archives

Help to get started!
From: dprotti at flowgate.net (Duilio Protti)
Date: Sun, 31 Jul 2005 20:05:10 +0000

In fact, I have tried vuln1_2 on Gentoo Linux, and it fails to exploit
vuln1.c from tutorial. The problem arises because of the Smash Stack
Protector with which libc is compiled in Gentoo. Changing the code of
vuln1.c:

char buf[64];
....
if(read(peersock, buf, 4096) == -1) {
    perror("read");
    return(1);
}

to another one which does not overflow inside of the libc's read()
function:

char buf[64];
char largebuf[4096];
....
if(read(peersock, largebuf, 4096) == -1) {
    perror("read");
    return(1);
}
mystrcpy(buf, largebuf);

where mystrcpy() is defined by us on the same file (say vuln2.c). Then,
when running vuln2 (compiled of course without ssp) the overflow occurs
on mystrcpy(), which doesn't check the stack on return. This way, I have
successfully exploited vuln2 using vuln1_2 from the tutorial, defining a
'Gentoo Linux' target with ESP adjusted to 0xbffff220.

Probably would be good to change vuln1.c on tutorial this way, to evade
compiled protections found on many systems.


Bye,
Duilio Protti.

The tutorial is really geared for showing exploit developers how to
port code to the Framework, not so much how to write an exploit from
scratch. Depending on your operating system and version, there could
all sorts of things preventing that simple stack oveflow from working
(compiled protection, hardened kernel, etc). If you like, email me
off-list with the compiled binary, along with the name, version, and
architecture of your system.

-HD





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault