Hosting Provided By

Re: exploiting a binary if %edi can be overwritten?

From: <avel(at)gmx.ch>
Date: Tue Jun 24 2003 - 10:44:28 EDT

> Possibly, but doubtful given what i shown. Depending on the assembly of
> what would give us later on, it may allow it.

.
.
.

>
> With that, want to try gdb mybinary mybinary.core and do something like
> x/10i ?

Ok, here's the gdb mybinary mybinary.core:

>gdb mybinary mybinary.core

GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... (no debugging symbols found)...
Core was generated by `mybinary'.
Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/local/lib/libvga.so.1... (no debugging symbols found)...done.
Reading symbols from /usr/local/lib/libvgagl.so.1... (no debugging symbols found)...done.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libm.so.2...(no debugging symbols found)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)...
done.
#0 0x2813ecfa in vfprintf () from /usr/lib/libc.so.4 (gdb) x/10i
0x0: Cannot access memory at address 0x0. (gdb) x/10i $pc

0x2813ecfa :     repnz scas %es:(%edi),%al
0x2813ecfc :     mov    %ecx,%eax
0x2813ecfe :     not    %eax
0x2813ed00 :     lea    0xffffffff(%eax),%edi
0x2813ed03 <vfprintf+3999>:     jmp    0x2813f0e6 <vfprintf+4994>
0x2813ed08 <vfprintf+4004>:     orb    $0x10,0xfffffe00(%ebp)
0x2813ed0f <vfprintf+4011>:     mov    0xfffffe00(%ebp),%edx
0x2813ed15 <vfprintf+4017>:     test   $0x20,%dl
0x2813ed18 <vfprintf+4020>:     je     0x2813ed74 <vfprintf+4112>
0x2813ed1a <vfprintf+4022>:     cmpl   $0x0,0xfffffe24(%ebp)

(gdb)

>What happens if you overwrite 10000 bytes instead?

The same, no changes in regs or asm output.

> What does {k,s,l}trace show?

>ktrace mybinary `perl -e 'print "A" x 10000'` (too much to post, please
specify what you need):

.
.
.

Do you need help?

   167 mybinary RET write 37/0x25
   167 mybinary CALL getuid
   167 mybinary RET getuid 0
   167 mybinary CALL setuid(0)
   167 mybinary RET setuid 0
   167 mybinary CALL getgid
   167 mybinary RET getgid 0
   167 mybinary CALL setgid(0)
   167 mybinary RET setgid 0
   167 mybinary CALL getuid
   167 mybinary RET getuid 0
   167 mybinary CALL seteuid(0)
   167 mybinary RET seteuid 0
   167 mybinary CALL getgid
   167 mybinary RET getgid 0
   167 mybinary CALL setegid(0)
   167 mybinary RET setegid 0
   167 mybinary PSIG SIGSEGV SIG_DFL
   167 mybinary NAMI "mybinary.core"

strace is also much to post, but should be fine:
>strace ./mybinary `perl -e 'print "A" x 10000'`

execve("./mybinary", ["./mybinary", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...],

[/* 23 vars */]) = 0
mmap(0, 1976, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x28066000

munmap(0x28066000, 1976)                = 0

__sysctl([hw.pagesize], 2, "\0\20\0\0", [4], NULL, 0) = 0 mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0x28066000

geteuid(0xbfbfd4b4)                     = 0
getuid()                                = 0 (euid 0)
getegid(0xbfbfd4b4)                     = 0
getgid()                                = 0 (egid 0)

open("/var/run/ld-elf.so.hints", O_RDONLY) = 3 read(3, "Ehnt\1\0\0\0\200\0\0\0007\0\0\0\0\0\0\0006\0\0\0\0\0\0"..., 128) = 128

lseek(3, 128, SEEK_SET)                 = 128
read(3, "/usr/lib:/usr/lib/compat:/usr/X1"..., 55) = 55
close(3)                                = 0

access("/usr/lib/libvga.so.1", F_OK) = -1 ENOENT (No such file or directory)
access("/usr/lib/compat/libvga.so.1", F_OK) = -1 ENOENT (No such file or directory)
access("/usr/X11R6/lib/libvga.so.1", F_OK) = -1 ENOENT (No such file or directory)
access("/usr/local/lib/libvga.so.1", F_OK) = 0 open("/usr/local/lib/libvga.so.1", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0755, st_size=315348, ...}) = 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\324|\0"..., 4096) = 4096
mmap(0, 331776, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) = 0x2806e000
mprotect(0x280b4000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 mprotect(0x280b4000, 4096, PROT_READ|PROT_EXEC) = 0 mmap(0x280b5000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x46000) = 0x280b5000
mmap(0x280bb000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0x280bb000

close(3)                                = 0

access("/usr/lib/libvgagl.so.1", F_OK) = -1 ENOENT (No such file or directory)
access("/usr/lib/compat/libvgagl.so.1", F_OK) = -1 ENOENT (No such file or directory)
access("/usr/X11R6/lib/libvgagl.so.1", F_OK) = -1 ENOENT (No such file or directory)
access("/usr/local/lib/libvgagl.so.1", F_OK) = 0 open("/usr/local/lib/libvgagl.so.1", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0755, st_size=52620, ...}) = 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0H+\0\000"..., 4096) = 4096
mmap(0, 57344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) = 0x280bf000
mprotect(0x280ca000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 mprotect(0x280ca000, 4096, PROT_READ|PROT_EXEC) = 0 mmap(0x280cb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xb000) = 0x280cb000

close(3)                                = 0
access("/usr/lib/libc.so.4", F_OK)      = 0

open("/usr/lib/libc.so.4", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0444, st_size=567860, ...}) = 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\224\'\1"..., 4096) = 4096
mmap(0, 618496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) = 0x280cd000
mprotect(0x2814c000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 mprotect(0x2814c000, 4096, PROT_READ|PROT_EXEC) = 0 mmap(0x2814d000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x7f000) = 0x2814d000
mmap(0x28151000, 77824, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0x28151000

close(3)                                = 0
access("/usr/lib/libm.so.2", F_OK)      = 0

open("/usr/lib/libm.so.2", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0444, st_size=102192, ...}) = 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0L0\0\000"..., 4096) = 4096
mmap(0, 98304, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) = 0x28164000
mprotect(0x28179000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 mprotect(0x28179000, 4096, PROT_READ|PROT_EXEC) = 0 mmap(0x2817a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x15000) = 0x2817a000

close(3)                                = 0
mmap(0, 560, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 560)                 = 0
mmap(0, 3848, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 3848)                = 0
mmap(0, 1648, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 1648)                = 0
mmap(0, 13312, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 13312)               = 0
mmap(0, 2208, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x2817c000
munmap(0x2817c000, 2208)                = 0
sigaction(SIGILL, {0x280566d0, [], 0}, {SIG_DFL}) = 0
sigprocmask(SIG_BLOCK, NULL, [])        = 0
sigaction(SIGILL, {SIG_DFL}, NULL)      = 0
sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) = 0
sigprocmask(SIG_SETMASK, [], NULL)      = 0
stat("/proc/bus/pci", 0xbfbfd320)       = -1 ENOENT (No such file or
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

directory)
open("/usr/local/etc/vga/libvga.config", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0 readlink("/etc/malloc.conf", 0xbfbf92b0, 63) = -1 ENOENT (No such file or directory)
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0x2817c000

break(0x809f000)                        = 0
break(0x80a3000)                        = 0
read(3, "# Configuration file for svgalib"..., 16384) = 15925
close(3)                                = 0
open("/root/.svgalibrc", O_RDONLY)      = -1 ENOENT (No such file or
directory)
open("/dev/io", O_RDONLY)               = 3
fcntl(0, F_GETFD)                       = 0
fcntl(1, F_GETFD)                       = 0
fcntl(2, F_GETFD)                       = 0
open("/dev/mem", O_RDWR)                = 4
fcntl(0, F_GETFD)                       = 0
fcntl(1, F_GETFD)                       = 0
fcntl(2, F_GETFD)                       = 0
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(5, 0), ...}) = 0
ioctl(0, VT_GETMODE, 0xbfbfd288)        = -1 ENOTTY (Inappropriate ioctl for

device)
fstat(1, {st_mode=S_IFREG|0644, st_size=5769, ...}) = 0 ioctl(1, VT_GETMODE, 0xbfbfd288) = -1 ENOTTY (Inappropriate ioctl for device)
fstat(2, {st_mode=S_IFREG|0644, st_size=5910, ...}) = 0 ioctl(2, VT_GETMODE, 0xbfbfd288) = -1 ENOTTY (Inappropriate ioctl for device)

open("/dev/console", O_RDWR)            = 5
ioctl(5, VT_OPENQRY, 0x280b6a08)        = 0
close(5)                                = 0
getppid(0x8)                            = 4846
setpgid(0, 4846)                        = 0
setsid()                                = 4848
open("/dev/ttyv8", O_RDWR)              = 5
ioctl(5, VT_GETACTIVE, 0xbfbfd284)      = 0
getuid()                                = 0 (euid 0)

fstat(1, {st_mode=S_IFREG|0644, st_size=6462, ...}) = 0 write(1, "[svgalib: allocated virtual cons"..., 40[svgalib: allocated virtual console #9]
) = 40

close(0)                                = 0
close(1)                                = 0
close(2)                                = 0
dup(5)                                  = 0
dup(5)                                  = 1
dup(5)                                  = 2
write(2, "\33[H\33[J", 6)               = 6
open("/dev/mem", O_RDONLY)              = 6
__sysctl([hw.pagesize], 2, "\0\20\0\0", [4], NULL, 0) = 0
break(0x80a5000)                        = 0

mmap(0x80a3000, 4096, PROT_READ, MAP_SHARED|MAP_FIXED, 6, 0xc0000) = 0x80a3000

close(6)                                = 0
break(0x80a7000)                        = 0

mmap(0x80a5000, 4096, PROT_READ, MAP_SHARED|MAP_FIXED, 4, 0xc0000) = 0x80a5000

munmap(0x80a5000, 4096)                 = 0

mmap(0, 65536, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0xa0000) = 0x2817d000 mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0xb8000) = 0x2818d000

close(4)                                = 0

open("/usr/local/etc/vga/libvga.config", O_RDONLY) = 4

fstat(4, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=15925, ...}) = 0
break(0x80ab000)                        = 0
read(4, "# Configuration file for svgalib"..., 16384) = 15925
close(4)                                = 0
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
open("/root/.svgalibrc", O_RDONLY)      = -1 ENOENT (No such file or
directory)
fcntl(0, F_GETFD)                       = 0
fcntl(1, F_GETFD)                       = 0
fcntl(2, F_GETFD)                       = 0

open("/dev/mouse", O_RDWR|O_NONBLOCK) = -1 ENOENT (No such file or directory)

setuid(0)                               = 0
getgid()                                = 0 (egid 0)
setgid(0)                               = 0
getuid()                                = 0 (euid 0)
seteuid(0)                              = 0
getgid()                                = 0 (egid 0)
setegid(0)                              = 0

--- SIGSEGV (Segmentation fault) ---
--- SIGSEGV (Segmentation fault) ---

and finally ltrace:
>ltrace ./mybinary `perl -e 'print "A" x 10000'`

atexit(0x28054e2c)                                = 0
atexit(0x0804f694)                                = 0

vga_init(2, 0xbfbfd4c0, 0xbfbfd4cc, 0x28068300, 0xbfbfd36c[svgalib: allocated virtual console #9]
) = 0
sscanf(0xbfbfd5af, 0x0804f928, 0x0809d540, 0x0809d644, 0) = 1 fprintf(0x2814fe90, "\nusage: %s [<options>] <host>:<"..., "EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF". .. <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

still thanks a lot to anyone helping me with that topic!

regards
avel

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Received on Tue Jun 24 19:36:37 2003

This message: [ Message body ]
Next message: ta0: "Windows Shellcode Writing"
Previous message: flur: "crashing explorer with file properties"
In reply to avel(at)gmx.ch: "exploiting a binary if %edi can be overwritten?"
Next in thread: andrewg(at)d2.net.au: "Re: exploiting a binary if %edi can be overwritten?"
Reply: andrewg(at)d2.net.au: "Re: exploiting a binary if %edi can be overwritten?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT