Vulnerability Development mailing list archives
Re: Problem exploiting a CGI overflow
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Wed, 24 Nov 2004 12:14:55 +0100 (CET)
I discover that the shellcode change during his execution. Yeah, some bytes of the shellcode change while is running. Why?? How can avoid this?
The problem here is that some bytes in the shellcode are converted into 0x20. Namely, 0x0b (execve syscall number) is converted into 0x20 (gtty syscall number -- an unimplemented syscall), screwing up the execution of your shell. $ strace ./post2 <buffer [...] read(0, "", 4096) = 0 gtty(0xbffff7ec, 0xbffff7f4) = -1 ENOSYS (Function not implemented) _exit(0) = ? The following special bytes pose similar problems: 0x09 ('\t'), 0x0a ('\n'), 0x0c ('\f') and 0x0d ('\r'). You should try to exploit the cgi with a special shellcode (note that you may also need to close stdin and re-open the tty -- see http://www.0xdeadbeef.info/code/gets-linux.c). Since i suppose you wanna build a remote exploit, ret-into-envp is useless here (i.e. you can't stuck your shellcode into the environment). Moreover, i don't think chained ret-into-libc may be feasible... I don't have enough time to play with that any further, but i hope you'll be able to find a viable solution ;) Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Current thread:
- Problem exploiting a CGI overflow Víctor Henríquez (Nov 23)
- Re: Problem exploiting a CGI overflow sin (Nov 23)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 24)
- Re: Problem exploiting a CGI overflow sin (Nov 24)
- Re: Problem exploiting a CGI overflow Vlad902 (Nov 27)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 24)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 28)
- Re: Problem exploiting a CGI overflow sin (Nov 29)
- <Possible follow-ups>
- Re: Problem exploiting a CGI overflow Marco Ivaldi (Nov 24)
- Re: Problem exploiting a CGI overflow sin (Nov 28)
- Re: Problem exploiting a CGI overflow Marco Ivaldi (Nov 28)
- Re: Problem exploiting a CGI overflow sin (Nov 23)