|
Vulnerability Development: Buffer Overflow Help
('binary' encoding is not supported, stored as-is)
I am trying to learn how to write a basic stack buffer overflow on linux. The program that I am exploiting is:
void main (int argc, char **argv[]) {
char buffer[256];
if (argc <=1) {
printf("You did not enter any data\n");
exit (0);
}
strcpy(buffer, argv[1]);
printf("You Entered:%s\n", buffer);
}
I can overwrite EIP with 272 bytes of data. When I use gdb to find a return address I keep getting different address ranges.
[root_at_localhost learning]# ./basic `perl -e "print 'A' x 272;"`
You Entered:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
[root_at_localhost learning]# gdb ./basic core.3615
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
warning: exec file is newer than core file.
Core was generated by `./basic AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x41414141 in ?? ()
(gdb) x/100 $esp - 300
0xbffff5b4: 0x421328d4 0xbffff6d8 0x080483f1 0x080484c0
0xbffff5c4: 0xbffff5d0 0x40015848 0x00000001 0x41414141
0xbffff5d4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff5e4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff5f4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff604: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff614: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff624: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff634: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff644: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff654: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff664: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff674: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff684: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff694: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff6a4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff6b4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff6c4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff6d4: 0x41414141 0x41414141 0x41414141 0x00000000
0xbffff6e4: 0xbffff724 0xbffff730 0x400154f0 0x00000002
0xbffff6f4: 0x080482e0 0x00000000 0x08048301 0x08048390
0xbffff704: 0x00000002 0xbffff724 0x080483f8 0x08048428
0xbffff714: 0x4000cc60 0xbffff71c 0x00000000 0x00000002
0xbffff724: 0xbffffab4 0xbffffabc 0x00000000 0xbffffbcd
0xbffff734: 0xbffffbec 0xbffffbf7 0xbffffc07 0xbffffc15
(gdb) q
[root_at_localhost learning]# rm -f core.3615
[root_at_localhost learning]# ./basic `perl -e "print 'A' x 272;"`
You Entered:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
[root_at_localhost learning]# gdb ./basic core.3622
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
warning: exec file is newer than core file.
Core was generated by `./basic AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x41414141 in ?? ()
(gdb) x/100 $esp - 300
0xbfffe434: 0x421328d4 0xbfffe558 0x080483f1 0x080484c0
0xbfffe444: 0xbfffe450 0x40015848 0x00000001 0x41414141
0xbfffe454: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe464: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe474: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe484: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe494: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe4a4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe4b4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe4c4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe4d4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe4e4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe4f4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe504: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe514: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe524: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe534: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe544: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe554: 0x41414141 0x41414141 0x41414141 0x00000000
0xbfffe564: 0xbfffe5a4 0xbfffe5b0 0x400154f0 0x00000002
0xbfffe574: 0x080482e0 0x00000000 0x08048301 0x08048390
0xbfffe584: 0x00000002 0xbfffe5a4 0x080483f8 0x08048428
0xbfffe594: 0x4000cc60 0xbfffe59c 0x00000000 0x00000002
0xbfffe5a4: 0xbffffab4 0xbffffabc 0x00000000 0xbffffbcd
0xbfffe5b4: 0xbffffbec 0xbffffbf7 0xbffffc07 0xbffffc15
(gdb)
I am running GCC version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) on a Redhat 9 box kernel 2.4.20-31.9. Am I doing something wrong?
Received on Nov 10 2004
|
Intro
