[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Exploiting buffer overflows via protected GCC



>
>
> > memset(buf, 'A', 528);
>
> Don't do that.  This sort of "whoops" is exactly what the gcc SSP canary is
> designed to stop.
>

I could comment on this, but... I'll leave it.


>
> > I have googled my brains out for a solution, but all I have gathered is
> that
> > my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
> > return address it also overwrites the canary's value, and triggers a stop
> in
> > the program. I've disassembled it and anybody who can help me probably
> > doesn't need me to explain much more, but I would like to know a way to
> get
> > this. There seems to be some people on this list who may know something
> on
> > how to exploit on *nix systems with this protection enabled.
>
> What you want to do is be more precise in your splatting.  Instead of
> one memset, see if you can come up with a way to do *two* memsets, which
> leave your stack looking like:
>
>      'AAAAAAAAA' (above the canary)
>      <4 unmolested bytes of canary>
>      'AAAAAAAAA' (below the canary)
>
> Of course, if you're trying to exploit already-existing code, you probably
> only have one memset/strcpy you can abuse, and the starting address of the
> destination is already nailed down, which means you need to fill in the
> 4 bytes of canary correctly.  This means you need to find a way to obtain
> the value so you can use it.  One hint - sometimes you're better off
> targeting
> the stack frame 2 or 3 function calls back, rather than the *current*
> frame.
>
>
You commenting on exploitation is kind of like asking a deaf person what
their favorite song is. You obviously have no clue what you are talking
about due to the fact you offered absolutely no insight in to the protection
mechanism he was asking about, nor potential means of exploitation. Given
this the real question remains, do you actually believe you have any clue
about this stuff, or are you like Wallace and just want to post useless
shit?

-- 
ciao

JT
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/