[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Exploiting buffer overflows via protected GCC

To: Valdis.Kletnieks@xxxxxx
Subject: Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
From: ArcSighter Elite <arcsighter@xxxxxxxxx>
Date: Fri, 13 Feb 2009 13:13:25 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valdis.Kletnieks@xxxxxx wrote:
> On Fri, 13 Feb 2009 11:50:11 EST, Jason Starks said:
> 
>> memset(buf, 'A', 528);
> 
> Don't do that.  This sort of "whoops" is exactly what the gcc SSP canary is
> designed to stop.
> 
>> I have googled my brains out for a solution, but all I have gathered is that
>> my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
>> return address it also overwrites the canary's value, and triggers a stop in
>> the program. I've disassembled it and anybody who can help me probably
>> doesn't need me to explain much more, but I would like to know a way to get
>> this. There seems to be some people on this list who may know something on
>> how to exploit on *nix systems with this protection enabled.
> 
> What you want to do is be more precise in your splatting.  Instead of
> one memset, see if you can come up with a way to do *two* memsets, which
> leave your stack looking like:
> 
>       'AAAAAAAAA' (above the canary)
>       <4 unmolested bytes of canary>
>       'AAAAAAAAA' (below the canary)
> 
> Of course, if you're trying to exploit already-existing code, you probably
> only have one memset/strcpy you can abuse, and the starting address of the
> destination is already nailed down, which means you need to fill in the
> 4 bytes of canary correctly.  This means you need to find a way to obtain
> the value so you can use it.  One hint - sometimes you're better off targeting
> the stack frame 2 or 3 function calls back, rather than the *current* frame.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

He was actually seeking for ways to bypass stack protection in gcc
environments. There may be references at the web, reducing the entropy
for prediction, brute-forcing or abusing signal handlers, could be a
good starting point. I have little experience with gcc, ask Matt Miller.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJlbfFH+KgkfcIQ8cRAtR8AKCFeamGDKgIzqjZJZLRc+WaNMdhlQCg1fc3
z3u4YNF0Hkkv+4EydOkX1oo=
=Gz91
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Exploiting buffer overflows via protected GCC
  - From: Jason Starks
- Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
  - From: Valdis . Kletnieks

Prev by Date: Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
Next by Date: [Full-disclosure] [SECURITY] [DSA 1724-1] New moodle packages fix several vulnerabilities
Previous by thread: Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
Next by thread: Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
Index(es):
- Date
- Thread