|
Vulnerability Development
mailing list archives
Re: solaris gdb screen mayhem
From: corecode <corecode () corecode ath cx>
Date: Thu, 30 Aug 2001 14:21:26 +0000
At 09:51 PM 8/29/2001, Antonomasia wrote:
I've been attempting a white-hat "exploit" to run some demo code
on the stack on Solaris. The aim is to show whether the non-executable
stack is in force (and the /etc/system file may not be a reliable guide
to this if modified since last boot or something).
So ideally I'd take a Solaris/sparc shellcode and modify "sh" to "id"
and plant this in a program that deliberately overflows itself. And this
will be run on various machines periodically.
nice idea... so you want to check if your boxes are still in
non-executable-stack state?
but you should write the "shellcode" on your own to fit your purposes. you
don't need a shellcode.
My problems arise when:
Having got "execution" of the illegal string "AAAAAAAA" I replace
it with downloaded shellcode and this disturbs the exploit so it
needs some adjustment. I get a core dump from either SEGV or BUS
and in trying to find the program state with gdb it throws garbage
over the screen and is not recovered by "stty sane" or "reset".
I suppose I could wrap gdb in perl and allow only filtered chars to
my terminal. What do other people do about this ?
Execution on a non-executable stack gets a SEGV. Is there a way
the program can distinguish this from any other SEGV ?
why don't you try this one: it would be enough to call exit(1) in the
"shellcode". so if the code on the stack gets executed, the program will
return 1 (== shell false). install a signal(SIGSEGV) and signal(SIGBUS)
handler that will exit(0);
good idea?
cheerz
corecode
--
http://www.eikon.tum.de/~simons/security/
 By Date 
By Thread
Current thread:
| 
Intro
