From: Marco Ivaldi (raptor0xdeadbeef.info)
Date: Wed Nov 24 2004 - 05:14:55 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I discover that the shellcode change during his execution. Yeah, some
> bytes of the shellcode change while is running. Why?? How can avoid
> this?

The problem here is that some bytes in the shellcode are converted into
0x20. Namely, 0x0b (execve syscall number) is converted into 0x20 (gtty
syscall number -- an unimplemented syscall), screwing up the execution of
your shell.

$ strace ./post2 <buffer
[...]
read(0, "", 4096) = 0
gtty(0xbffff7ec, 0xbffff7f4) = -1 ENOSYS (Function not
implemented)
_exit(0) = ?

The following special bytes pose similar problems: 0x09 ('\t'), 0x0a
('\n'), 0x0c ('\f') and 0x0d ('\r'). You should try to exploit the cgi
with a special shellcode (note that you may also need to close stdin and
re-open the tty -- see http://www.0xdeadbeef.info/code/gets-linux.c).

Since i suppose you wanna build a remote exploit, ret-into-envp is useless
here (i.e. you can't stuck your shellcode into the environment). Moreover,
i don't think chained ret-into-libc may be feasible...

I don't have enough time to play with that any further, but i hope you'll
be able to find a viable solution ;)

Cheers,

--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]