I have found that a command line agrument to a program i use daily, can be
used to overflow a function inside the program.
Unfortunately I cannot reveal what program it is, because of that I'm
employed by the company that makes this program. And it might be sensitive
to submit this info to an open channel such as this before I have
evaluated the problem.
Is there any way to exploit this to execute my own shellcode? This is how
I overflow the program:
[exce@101 exce]$ gdb /usr/bin/vulnprogram
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) set args `perl -e 'print "A" x 4112'`
(gdb) run
......no debugging symbols found bla bla.....
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 8047)]
0x0804ea80 in VulnFunction () <---- Modified function name :P
(gdb) info reg
eax 0x41414141 1094795585 <---- Overwriten with A's
ecx 0x8062088 134619272
edx 0x8 8
ebx 0x4213030c 1108542220
esp 0xbfffb9b0 0xbfffb9b0
ebp 0xbfffdabc 0xbfffdabc
esi 0x40013020 1073819680
edi 0xbfffeb54 -1073747116
eip 0x804ea80 0x804ea80
eflags 0x10283 66179
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x7 7
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x23 35
fioff 0x8052d06 134556934
foseg 0x2b 43
fooff 0xbfffda54 -1073751468
---Type <return> to continue, or q <return> to quit---Quit
(gdb)
There is no difference in this reg output if I increase the overflow
string. So most probably it is some kind of a loop gone wrong. This is the
only command line parameter this program takes.
As I said, what I want to know is if this is exploitable, and if it is,
how do I exploit it.
Feel free to point me to some interesting websites that has information on
this subject.
Hello!
I have found that a command line agrument to a program i use daily, can be
used to overflow a function inside the program.
Unfortunately I cannot reveal what program it is, because of that I'm
employed by the company that makes this program. And it might be sensitive
to submit this info to an open channel such as this before I have
evaluated the problem.
Is there any way to exploit this to execute my own shellcode? This is how
I overflow the program:
[exce@101 exce]$ gdb /usr/bin/vulnprogram
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) set args `perl -e 'print "A" x 4112'`
(gdb) run
......no debugging symbols found bla bla.....
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 8047)]
0x0804ea80 in VulnFunction () <---- Modified function name :P
(gdb) info reg
eax 0x41414141 1094795585 <---- Overwriten with A's
ecx 0x8062088 134619272
edx 0x8 8
ebx 0x4213030c 1108542220
esp 0xbfffb9b0 0xbfffb9b0
ebp 0xbfffdabc 0xbfffdabc
esi 0x40013020 1073819680
edi 0xbfffeb54 -1073747116
eip 0x804ea80 0x804ea80
eflags 0x10283 66179
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x7 7
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x23 35
fioff 0x8052d06 134556934
foseg 0x2b 43
fooff 0xbfffda54 -1073751468
---Type <return> to continue, or q <return> to quit---Quit
(gdb)
There is no difference in this reg output if I increase the overflow
string. So most probably it is some kind of a loop gone wrong. This is the
only command line parameter this program takes.
As I said, what I want to know is if this is exploitable, and if it is,
how do I exploit it.
Feel free to point me to some interesting websites that has information on
this subject.
/Daniel Nyström
[ reply ]