Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 25th July 2005, 05:45 PM
vvukotic Offline
Registered User
 
Join Date: May 2005
Posts: 9
Buffer overflow doesn't overwrite eip

Hello,

I was trying to run some sample buffer overruns and notice that the eip doesn’t get overwritten.
For example:
Code:
main(int argc, char *argv[])
{
char a[100];
strcpy(a, argv[1]);
}
Overwrites the ebp but not the eip
Code:
[user@localhost shellcode]$ ./vulnerable `perl -e 'print "A" x300'`
Segmentation fault (core dumped)
[user@localhost shellcode]$ gdb vulnerable core.14291
GNU gdb Red Hat Linux (6.3.0.0-1.21rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
....
Loaded system supplied DSO at 0xfe0000
Core was generated by `./vulnerable AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
....
#0  0x080483b1 in main (argc=Cannot access memory at address 0x41414149
) at vulnerable.c:5
5       }
(gdb) info registers eip
eip            0x80483b1        0x80483b1
(gdb) info registers ebp
ebp            0x41414141       0x41414141
(gdb)
Can someone help me understand why this happens?
Is there a way to get this examples working under FC4?

Thanks
Reply With Quote
  #2  
Old 26th July 2005, 04:08 AM
RedFedora Offline
Registered User
 
Join Date: May 2004
Posts: 503
I'll take a stab at this one. You are using the buffer overflow to over-write memory. Stack
memory in this case, I believe. However, registers don't reside in the memory. They are
"containers" inside the processor. You can't really "over-write" them.

Now, it's been a while since I did this, so I may be off here, but this is what I think has happened.
The return address for the main() function got over-written by your 'A' (0x41). This return address
got loaded into the EBP register. If I remember correctly, and I may be wrong) the EBP register
contains the pointer to where code will be executed. EIP contains a pointer to data, usually, rather
than executable code.

Anyway, the EBP register loaded 'AAAA' as the next location to find code, the processor tried to
go to that addresses and had its fingers slapped.
__________________
Registered Linux User # 373325
Reply With Quote
  #3  
Old 26th July 2005, 06:21 PM
vvukotic Offline
Registered User
 
Join Date: May 2005
Posts: 9
Hello,

thank you for answering me.

Sorry for the inaccuracy using when talking about overwriting registry, i know they ‘re not on the stack but talk as they where

Here is a sketch of the stack after the function get called:
...
EBP
Return address
str
....

The string should overwrite both the return address and the EBP. The return address cause the EIP (enhanced Instruction Pointer) to jump to the address stored in it that is in our case 0x41414141.

But I noticed it does not rewrite the return address or something similar.
I don’t know if it is because of the OS or the gcc but noticed this on FC4 and today I tested it o FC3 and saw the same.

The bad thing is that examples from “The art of Exploitation” & “Shellcoders’ Handbook” want work.
The good thing is that if true FC would probably be much harder to run shellcode on and so much secure
(But I would still like to have those examples work on FC4)

Later on I installed slackware 10.0 on VMware and notice that both the return address were overwritten, as it should be. So both eip and ebp contained the value 0x4141414141.
Code:
root@localhost:~#  ./vulnerable "perl  -e  "print "A"x300';" 

Segmentation fault (core dunped)



root@localhost:~# gdb vulnerable c:ore GNU gdb 6.1.1

Copyright 2004 Free Softuare Foundation,  Inc.

GDB is free...

This GDB was configured as "i4B6-slackware-linujt"... Using host libthreaddb library "/lib/libthreaddb .so.l".

Core was generated by    ./vulnerable AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Progran teminated with signal 11 r  Segnentation fault.

Reading synbols fron /lib/libc.so.6...done.

Loaded synbols for /lib/libc.so.6

Reading synbols fron /lib/ld-linux.so.2...done.

Loaded syibols for /lib/ld-linux.so.2

#0    0x41414141 in  ?? ()

(gdb)  info registers eip

eip                     0x41414141             0x41414141

(gdb)  info registers ebp

ebp                     0x41414141             0x41414141

(gdb)
Reply With Quote
Reply

Tags
buffer, eip, overflow, overwrite

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Buffer Overflow Attack? tomh1000 Security and Privacy 0 24th June 2009 01:49 PM
Buffer overflow at mount -t nfs on FC5 ikarasalo Using Fedora 0 18th May 2006 07:41 AM
Buffer OverFlow Stack gaurd ashish1024 Using Fedora 1 25th March 2006 05:32 PM
buffer overflow impossible? Firewing1 Security and Privacy 22 21st January 2006 07:51 PM


Current GMT-time: 05:10 (Monday, 24-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Niitsu-honcho Travel Photos - Kilosa - Diepenbeek Photos on Instagram