ABO2 – 3 Posts

• ABO2

  08/24/2007 18:35

  leben 10

  Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

  OK! That's it! I give up!<br>How the heck do you exploit the advanced buffer overflow (abo2.txt) in the vulnerable code section.<br><pre> /* abo2.c * * specially crafted to feed your brain by gera@core-sdi.com */ /* This is a tricky example to make you think * * and give you some help on the next one */ int main(int argv,char **argc) { char buf[256]; strcpy(buf,argc[1]); exit(1); } </pre><br><br>There's no return address it uses, exit(1) causes that because ret is never reached! There's nothing under the buff local variable at the time that is is written.<br>Im running WinXP btw - I do have fedora core but FC has protections that work against me in my learning.

  Edit

  Reply

  Quote

  0 Likes
• 08/24/2007 18:35

  UnknownUser 2,7290

  Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

  if you are on linux remember to do <br><br>echo -n \"0\" &gt; proc/sys/kernel/randomize_va_space<br><br>on windows xp you want to overwrite the SEH record<br><br>and make it crash in some way.

  Edit

  Reply

  Quote

  0 Likes
• 08/24/2007 18:35

  matrixman 670

  Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

  Hello leben,<br><br>abo2 is not exploitable on x86 architecture because, as you already found out, the function does not return so you cant overwrite any ret address (at least i cant think of any method).<br>For other architectures where the stack grows from low to high it is possible to overwrite the strcpy() to exploit it.<br><br>Greets<br>matrixman

  Edit

  Reply

  Quote

  0 Likes