ASLR is not your only problem under Linux. If you are using a modern
distribution (e.g. your homebox) there are loads other protections
enabled. Your best bet is to download an older one, turn off protections
where needed (via proc and via linker options) and start from there.
Userland exploitation is not beginner material with all the mitigations
enabled.
On 5/22/12 7:00 PM, Littlefield, Tyler wrote:
> Thanks all for the info. I really appreciated it. Luckaly I have some
> experience with asm, though it is limited. The videos are nice, though
> I am going to have to supplement them with extra materials more than
> usual, since I am blind and it's hard to tell what he is doing all the
> time.
>
> Anyway, again I appreciate the help. I do have a question.
> If I am going to use a buffer overflow, I want to make sure I
> understand this right.
> If I have a function like:
> void foo(char* x);
> that means that I'd need to push an argument and call foo.
> push eax
> call foo
> now that I've called foo, it's going to set up the stack:
> gcc's disasm does something like:
> push ebp
> mov ebp, esp
> so now we have:
> ebp+8 >> x
> ebp+4 >> return
> ebp >> old ebp (?)
> so lets say that I declare a static buffer (you would sub ebp, 4) for
> that extra variable and it was a buffer. so if it was ebp-4, I could
> store an int there.
> now if I wanted to overflow that, I would have to fill ebp-4, which is
> the variable, ebp which is the pointer to the old frame (explaination
> there would be cool--I am kind of confused on what the "old frame"
> is); is it just the point on the stack (esp) where the previous
> frame's locals and that are stored? and then ebp+4. So I would have to
> feed that buffer 12 bytes to overwrite the return.
> so, this leads me to two final questions.
> First, is there a way perhaps to return backwards? So if I could
> manage to squeeze shellcode into those first 8 bytes (is that a
> possibility?) I could return to that and execute that? If I return to
> a funtion, how do I make that function do what I want? Being able to
> run any function in the code seems nice, but calling printf for
> example doesn't really do much for me. It would also require that I
> somehow get my arguments on the stack.
> Finally, lets say I found a function with GDB. With ASLR, is that not
> guaranteed to change when I execute the program again?
>
> Hopefully this is the right place for these questions--if not, I would
> appreciate other resources where this could be asked.
> Thanks,
> Ty
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an
> SSL certificate. We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You will
> find out how to test, purchase, install and use a thawte Digital
> Certificate on your Apache web server. Throughout, best practices for
> set-up are highlighted to help you ensure efficient ongoing management
> of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>
> ------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
distribution (e.g. your homebox) there are loads other protections
enabled. Your best bet is to download an older one, turn off protections
where needed (via proc and via linker options) and start from there.
Userland exploitation is not beginner material with all the mitigations
enabled.
On 5/22/12 7:00 PM, Littlefield, Tyler wrote:
> Thanks all for the info. I really appreciated it. Luckaly I have some
> experience with asm, though it is limited. The videos are nice, though
> I am going to have to supplement them with extra materials more than
> usual, since I am blind and it's hard to tell what he is doing all the
> time.
>
> Anyway, again I appreciate the help. I do have a question.
> If I am going to use a buffer overflow, I want to make sure I
> understand this right.
> If I have a function like:
> void foo(char* x);
> that means that I'd need to push an argument and call foo.
> push eax
> call foo
> now that I've called foo, it's going to set up the stack:
> gcc's disasm does something like:
> push ebp
> mov ebp, esp
> so now we have:
> ebp+8 >> x
> ebp+4 >> return
> ebp >> old ebp (?)
> so lets say that I declare a static buffer (you would sub ebp, 4) for
> that extra variable and it was a buffer. so if it was ebp-4, I could
> store an int there.
> now if I wanted to overflow that, I would have to fill ebp-4, which is
> the variable, ebp which is the pointer to the old frame (explaination
> there would be cool--I am kind of confused on what the "old frame"
> is); is it just the point on the stack (esp) where the previous
> frame's locals and that are stored? and then ebp+4. So I would have to
> feed that buffer 12 bytes to overwrite the return.
> so, this leads me to two final questions.
> First, is there a way perhaps to return backwards? So if I could
> manage to squeeze shellcode into those first 8 bytes (is that a
> possibility?) I could return to that and execute that? If I return to
> a funtion, how do I make that function do what I want? Being able to
> run any function in the code seems nice, but calling printf for
> example doesn't really do much for me. It would also require that I
> somehow get my arguments on the stack.
> Finally, lets say I found a function with GDB. With ASLR, is that not
> guaranteed to change when I execute the program again?
>
> Hopefully this is the right place for these questions--if not, I would
> appreciate other resources where this could be asked.
> Thanks,
> Ty
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an
> SSL certificate. We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You will
> find out how to test, purchase, install and use a thawte Digital
> Certificate on your Apache web server. Throughout, best practices for
> set-up are highlighted to help you ensure efficient ongoing management
> of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]