Just a quick summary of the solution for those interested.
sin <sin_at_innocence-lost.net> wrote:
> It seems like if bash is the one converting the characters, that you
> should be able to bypass the problems by changing the exploit to call
> execve() with argv/envp setup. Am I incorrect here?
It's not bash the one responsible for the chars conversion, but the
scanf() function itself.
sin <sin_at_innocence-lost.net> wrote:
> As for not being able to return into envp like that, seeing as it's a
> CGI, it seems like that would depend on the method used by the
> webserver, IIRC get variables end up in the enviroment, and post
> variables come from stdin, so if it used get, it seems like you would be
> able too.
Ret-into-envp may be feasible locally, but i don't believe it would be
possible to remotely control the envp in this case, though i've not tested
it -- so i may be wrong.
Victor Henriquez" <vhenriquez_at_grancanaria.com> wrote:
> You are right. I use your shellcode
> (http://www.0xdeadbeef.info/code/gets-linux.c) --removing 0x0b-- and now
> it work.
>
> But, Why do I need close stdin?
Because functions like scanf() and gets() use the fd 0 (stdin), and for
some reason (i've not investigated this problem further after i found the
special shellcode work-around) if you use them to trigger the buffer
overflow you don't have control on stdin. This means that you can't
properly execute an interactive shell without re-opening the tty, to gain
access to all needed descriptors (0, 1, and 2) -- although other programs
work just fine without stdin, e.g. try with /bin/ls instead of /bin/sh.
Cheers,
--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Received on Nov 29 2004
Intro
