logo
::[Home]
::[News]
::[Challenges]
::[Ranking]
::[My Account]
::[Forum]
::[Chat]
::[Private Messages]
::[Vulnerable Code]
::[Tutorials]
::[Downloads/Scripts]
::[Support]
::[Links]
::[Contact/FAQ]
::[Login]
0 anonymous
Views: 1089243 Challenges: 342
Users: 12689 Online: 11

Settings
Search
0 new posts

buffer overflow problem – 7 Posts

  • buffer overflow problem

    07/16/2007 23:50
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    i try to exploit the first buffer overflow vulnerable code with an exploit i wrote and its similar with the aleph one exploit. i filled the buffer with the return address of my shellcode and then i put (buffer size)/2 NOP and the shellcode at the beggining of the buffer. although the buffer is 256 bytes long i get a segmentation fault only when i run my exploit with a 500+ bytes buffer. <br> could the program think that the buffer ends when it reads one time the return address i fill the buffer with or the problem is something else?<br> (if i didn type correctly my question feel free to ask me for further information, and btw sorry for any sloppy english <img alt="\&quot;:)\&quot;" src="%5C"> )
    Edit
    Reply
    Quote
    0 Likes
  • 07/16/2007 23:50
    Degenerate's Avatar Degenerate 550
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Just to clarify: are you bruteforcing the amount of bytes you need to fill before reaching the return-address or have you found the address and have a piece of tailored code that should cause a BOF. Either way my experience with this is pretty limited, but that is something I couldnt work out from your post.<br><br>Degen
    Edit
    Reply
    Quote
    0 Likes
  • 07/16/2007 23:50
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    the compier gets to choose how much space it takes for every buffer,<br><br>it usually takes into account<br>- aligning issues<br>- off by one errors are common, and thus usually it reseves at least a few bytes extra<br><br>
    Edit
    Reply
    Quote
    0 Likes
  • 07/16/2007 23:50
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    the buffer i use looks like this:<br>[NOP][NOP[NOP][NOP][NOP]...[SHELLCODE]....[ADDR][ADDR][ADDR]...<br>----------buffer size/2------------- <br>where ADDR is the addrese with which i want to overflow the return address.<br><br>when i compiled the vulnerable program i used the -mpreferred-stack-boundary=2 which set up the stack in double word increments and the -fno-stack-protector to remove the protection linux have for the stack.<br><br>the problem is that only when i make this buffer almost double the size of the buffer i want to overflow it causes a segfault. so i suspected that when it reaches the first ADDR after the shellcode <br>it suppose that the string ends, so actually my buffers size reduces to 1/2 with only one ADDR at the end of it. could this be the problem?<br>
    Edit
    Reply
    Quote
    0 Likes
  • 07/16/2007 23:50
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    try compiling with -O3 or -Os <br>the optimizer will probably shrink the space used.
    Edit
    Reply
    Quote
    0 Likes
  • 07/16/2007 23:50
    Degenerate's Avatar Degenerate 550
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    I get the impression you know more than me, although I think your post above gives some useful info for those who know more to help you =]<br><br>I'll leave you too it and good luck!
    Edit
    Reply
    Quote
    0 Likes
  • 07/16/2007 23:50
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    <div class="\&quot;tbscode_standard_quote_headline\&quot;"><img alt="\&quot;Quote\&quot;" src="%5C">Quote from <a href="%5C">rhican</a>:</div><div class="\&quot;tbscode_standard_quote\&quot;">try compiling with -O3 or -Os <br>the optimizer will probably shrink the space used.</div><br><br>i tried that but i get the same results....<br><br>actually i dont think that the problem is with the flags i use when compiling the program than that the program doesn't read all the addresses beyond the shellcode until it reaches the NULL character at the end of the buffer. it just reads the first of them and then stops. so the buffer length that is stored in to the buffer is equal to buffer size/2 that are the NOP + the shellcodes length + 4 bytes of the first address after the shellcode. thats why i get a segfault only when i make a buffer that is almost twice the size of the buffer of the vulnerable program<br>but i am not very sure that this is the case and if it is then it is very difficult to actually make the overflow...any suggestions appreciated <img alt="\&quot;:)\&quot;" src="%5C">
    Edit
    Reply
    Quote
    0 Likes