Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am using fedora core with compiler
gcc (GCC) 3.3.2 20031022 (Red Hat Linux 3.3.2-1
I am trying to write a buffer overwrite program(As my assignment). In that,
I am filling buffer with 'A's. This overflows fine, but the content of the IP register is
shown as something else then '4141414141414141' (Which is Ascii for 'A's.)
BP is showing '4141414141414141' fine.
Is this a new feature of gcc? How to circumvent it?
Without seeing the program it sounds like one of two possibilities:
1) the overflow is not stretching far enough along the stack - if you are trying to be precise realize that GCC 3.something added padding to the stack to prevent {one,five} byte overwrites; if you are a following some tutorial online, it might not cover this.
2) the program has not returned from the function and, thus, eip has not changed, yet.
Those are just guesses though, I would need to see the code for more of an idea.
Yes, your problem is definitely to do with stack frame padding. Open up GDB and run the command `disass main', you are looking for:
Code:
(gdb) disass main
Dump of assembler code for function main:
0x08048344 <main+0>: push %ebp
0x08048345 <main+1>: mov %esp,%ebp
0x08048347 <main+3>: sub $0x228,%esp
0x0804834d <main+9>: and $0xfffffff0,%esp
This is the main function setting up it's stack frame, above the stack frame of it's parent. You will notice that on my system GCC-3.3.1 has created a stack frame that is 552 bytes. You need to take this into account.
As you can see you have managed to overwrite the saved %ebp value, but have not reached %eip. Here is the output for you of two invocations:
Code:
(gdb) r `perl -e 'print "A" x 524'`
[ ... ]
Program received signal SIGSEGV, Segmentation fault.
0x4002e915 in __libc_start_main () from /lib/libc.so.6
(gdb) info reg
[ ... ]
esp 0xbffff490 0xbffff490
ebp 0x41414141 0x41414141
[ ... ]
eip 0x4002e915 0x4002e915
Code:
(gdb) r `perl -e 'print "A" x 552'`
[ ... ]
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg
[ ... ]
esp 0xbfffe960 0xbfffe960
ebp 0x41414141 0x41414141
[ ... ]
eip 0x41414141 0x41414141
The general lesson to learn from this is to always review what the compiler has created. It is very difficult to understand this properly without some base understanding of how memory works and assembly code (you do not need to be able to write it, but approximate reading of it is useful). The other thing is, when you are looking to overwrite the %eip via a simple technique such as this then you should open up the calling function and find the `return location' (as in, what value the saved %eip will contain). Using this `return location' you can take a view of memory and find the exact address that the system intends to pop back into the instruction pointer. From there it is simple to work out how much you need to write. I took a glance at the tutorial you are studying, and it does not seem to cover scenarios such as this -- you should maybe look for a more general tutorial, one without the assumptions made.
Thanx for help.
However, There are two main differences in my trace. First, the stack frame is of 520 bytes.
(gdb) disas main
Dump of assembler code for function main:
0x080483b0 <main+0>: push %ebp
0x080483b1 <main+1>: mov %esp,%ebp
0x080483b3 <main+3>: sub $0x208,%esp
0x080483b9 <main+9>: and $0xfffffff0,%esp
Second, I have tried overrunning by different margins, small and large, but it gives the same result.
(gdb) r `perl -e'print "A" x 600'`
...
Your name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x0804841f in main (argc=Cannot access memory at address 0x41414149
) at begtut.c:13
13 }
Okay, here is something simple to try. All of this is not necessary, but it should make it easy to highlight where the issue lies. Grab yourself a breakpoint just after the strcpy call:
I completed writing program and it turned out that it works fine when I compile it on RH7 and RH9.0 and then run on my machine. When I execute a buffer exploit compiled on my machine, It breaks on the ret instruction.
This makes me guess, that there is indeed some new trick in the GCC that shipped with fedora core.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Buffer Overflow
