Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Simple Buffer Overflow
From: Siim Põder <siim () p6drad-teel net>
Date: Tue, 15 Jan 2008 02:04:35 +0200 (EET)


E, 14. jaanuar, 16:11, Ronald van der Westen kirjutas:
Debian 2.6.18 is using Address Space Randomization, this means that
your stack will be at another address every run. It is not possible to
exploit this with a hardcoded return address.

linux-gate.so may contain a jmp esp, in which case it could be possible to
exploit this with hardcoded return address. see
http://www.milw0rm.com/papers/55 .

On 10 Jan 2008 02:09:46 -0000,  <loki6 () orange nl> wrote:
The first time I tried today it overflowed the EIP correctly and I
didn't change anything.

ECX is 0x41414141 and

ESP is 0x4141413d

you have changed esp and the ret will read the wrong return address. to
make it easier, in the beginning try to:

1) turn of stack randomization (sysctl kermel.va_randomize_space=0)
2) move the overflow to a separate function (call dostuff(argv) and put
the buffer and the strcat into that function) - that way it's easier to
debug it . see where the call writes the eip and nexti through your
function to see how the buffer is overwritten and ret changed etc.

EBP is 0xbf004141

Since stack and frame pointer both have 41 in them I figure part of them
is overflowed. Why not the Extended Instruction Pointer?

I was wondering if someone was able to help me with this, because I
really want to get the hang of this.

I don't know if I got the NOP sled and return address right either,
because when using GDB:

    x/s $esp

I get:

0x4141413d:   <Address 0x4141413d out of bounds

I'm kinda stuck from there.

My problem in short:

- How do I get a reliable return address with GDB

without stack randomization just step through the code once and note where
your shellcode gets written. with stack randomization you have to use
tricks (look for it on google)

- How do I determine the length of the NOP sled

nop sled is only useful for brute forcing, afaiak

- How do I test shellcode

jmp shellcode


This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]