Hosting Provided By

exploiting a binary if %edi can be overwritten?

From: <avel(at)gmx.ch>
Date: Mon Jun 23 2003 - 04:06:05 EDT

i have a buffer overflow question. If i have a binary (no src available) that
i can crash with a too long string, so that %edi is set 0x41414141
(means i could control it)... can i craft the buffer so that the adress in
%edi is actually jumped to?

If i put in a malformed addr (like above) the proc segfaults, if i put in a valid (like addr of my shellcode) it gets executed normally (thats why i think i have to restore/push/pop %edi to another register somehow... but how?)

I theory i'd like to do something like restoring the addr i have written to the place were %edi is to some other register, which would jmp to the addr given by me. I just dunno, _where_ to write _what_ to accomplish that. Maybe push %edi and ret in opcodes (but where? infront of my shellcode won't make much sense, since the prog won't jmp there...)? ...is this exploitable at all?

# ./mybinary `perl -e 'print "A" x 5000'` Segmentation fault (core dumped)

# gdb -core mybinary.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd". Core was generated by `mybinary'.
Program terminated with signal 11, Segmentation fault. #0 0x2813ecfa in ?? ()
(gdb) bt

#0  0x2813ecfa in ?? ()
#1  0x2813dae9 in ?? ()
#2  0x2813de32 in ?? ()
#3  0x2813da25 in ?? ()
#4  0x8049123 in ?? ()
#5  0x8049831 in ?? ()
#6  0x804cd19 in ?? ()
#7  0x804906a in ?? ()


(gdb) i reg


eax            0x0      0
ecx            0xffffffff       -1
edx            0x2813ec4c       672394316
ebx            0x2815000c       672464908
esp            0xbfbfdd48       0xbfbfdd48
ebp            0xbfbfdfa0       0xbfbfdfa0
esi            0x8      8
edi            0x41414141       1094795585
eip            0x2813ecfa       0x2813ecfa
eflags         0x3286   12934
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47


(gdb) x/10i $pc


0x2813ecfa:     Cannot access memory at address 0x2813ecfa.

(gdb) x/10i $eax

0x0: Cannot access memory at address 0x0.
(gdb) x/10i $ecx

0xffffffff: Cannot access memory at address 0xffffffff.
(gdb) x/10i $ebx

0x2815000c:     push   %esp
0x2815000d:     das
0x2815000e:     or     %al,(%eax)
0x28150010:     add    %al,0x34502806(%ebx)
0x28150016:     add    $0xdcfba28,%eax
0x2815001b:     sub    %cl,%dl
0x2815001d:     iret
0x2815001e:     or     $0xdcfda28,%eax
0x28150023:     sub    %ch,%dl
0x28150025:     iret


(gdb) x/10i $esp


0xbfbfdd48:     or     $0x0,%al
0xbfbfdd4a:     adc    $0x14fe9028,%eax
0xbfbfdd4f:     sub    %bl,%al
0xbfbfdd51:     jecxz  0xbfbfdd12
0xbfbfdd53:     mov    $0x20202020,%edi
0xbfbfdd58:     and    %ah,(%eax)
0xbfbfdd5a:     and    %ah,(%eax)
0xbfbfdd5c:     mov    %ds,%edi
0xbfbfdd5e:     mov    $0xbfe6e0bf,%edi
0xbfbfdd63:     mov    $0x2,%edi


(gdb) x/10i $ebp


0xbfbfdfa0:     xor    %ah,%ah
0xbfbfdfa2:     mov    $0x13dae9bf,%edi
0xbfbfdfa7:     sub    %bl,%al
0xbfbfdfa9:     jecxz  0xbfbfdf6a
0xbfbfdfab:     mov    $0x804f6c0,%edi
0xbfbfdfb0:     in     $0xe6,%al
0xbfbfdfb2:     mov    $0x13da89bf,%edi
0xbfbfdfb7:     sub    %cl,(%eax,%eax,1)
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
0xbfbfdfba:     adc    $0xbfe84028,%eax
0xbfbfdfbf:     mov    $0xbfbfe84c,%edi

(gdb) x/10i $esi

0x8: Cannot access memory at address 0x8.
(gdb) x/10i $edi

0x41414141: Cannot access memory at address 0x41414141.
(gdb) x/10i $eip

0x2813ecfa: Cannot access memory at address 0x2813ecfa.
(gdb)

Thanks for any help with that topic!

avel

-- 
+++ GMX - Mail, Messaging & more  
http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Received on Mon Jun 23 14:02:43 2003

Do you need more help?

This message: [ Message body ]
Next message: Valdis.Kletnieks(at)vt.edu: "Re: exploiting a binary if %edi can be overwritten?"
Previous message: Nicolas RUFF (lists): "Re: Java class obfuscation"
Next in thread: Valdis.Kletnieks(at)vt.edu: "Re: exploiting a binary if %edi can be overwritten?"
Reply: Valdis.Kletnieks(at)vt.edu: "Re: exploiting a binary if %edi can be overwritten?"
Reply: avel(at)gmx.ch: "Re: exploiting a binary if %edi can be overwritten?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT