Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 19:09

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 
Author Message
 Post subject: [C] An exploit that work only inside GDB
PostPosted: 03 Mar 2009 22:37 

Joined: 02 Jan 2009 12:00
Posts: 3
Hi,

I am 100% sure that you will find this impossible, but I wrote an exploit that work only inside the debugger (GDB). How is possible? The structure is almost standard. Using execle I forge the env array putting the shellcode as an Environment Variable and I write the address of the shellcode in the file that the target will read (using a fscanf("%s", buffer)). I calculated the exact number of bytes to overwrite the return address, and I added 32 bytes more (to be sure :P). Now, if i try my exploit inside GDB, I get my shell. But if I run my exploit entering "./a.out" at the shell prompt, it doesn't work. Do you have any idea that can help me to find the reason?

Thanks
Gnix

ps: Sorry for my english..


Top
 Profile  
 
 
 Post subject: Re: [C] An exploit that work only inside GDB
PostPosted: 03 Mar 2009 23:15 

Joined: 02 Jan 2009 12:00
Posts: 3
Well, I discovered the reason. It seems that the trick to use

ret = 0xbffffffa - (sizeof(shellcode)-1) - strlen("./prog");

It doesn't work under OpenSuse 11.1. The ASLR change my ret address and this happen also if I use execle to create my own env array. At this moment, I realy don't understand how is possible to exploit something under Linux. The nop-sled technique is useles with the ASLR, and also the use of execle (and of the magic address 0xffffffa) seems to not work anymore..

Which techniques are you using to bypass this obstacle?

Thanks
Gnix


Top
 Profile  
 
 Post subject: Re: [C] An exploit that work only inside GDB
PostPosted: 04 Mar 2009 15:27 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
sorry but that's not my field, so I don't know an exact answer


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: