Jan 12 00:37:45 u there , h4z4rd , want to ask you smt ? Jan 12 00:38:52 yes Jan 12 00:39:57 sec till i find a link Jan 12 00:40:16 http://www.securityfocus.com/archive/101/486097/30/0/threaded Jan 12 00:40:52 this guy has a problem ,i tryed it on my sistem and it behaves the same, some sort of new gcc thingie ?, you know what it might be ? Jan 12 00:40:57 definetly strange Jan 12 00:41:55 i can control eip , if my buff is 256 , if i write 256 times A eip gets 0x41414141 which is strange, if i write more into the buffer i get some non related value Jan 12 00:42:39 i just don`t get it , on an older gcc all works "normaly" , there is a small padding after the buffer Jan 12 00:43:06 just stared at disasm , couldn`t figure anything out Jan 12 00:43:16 0x00000788 : call 0x4fc <__stack_smash_handler@plt> Jan 12 00:43:16 0x0000078d : mov -0x4(%ebp),%ebx Jan 12 00:43:23 this maybe? Jan 12 00:44:31 no , compiled with -fno-stack-protector Jan 12 00:44:51 that is the first thing i tryed Jan 12 00:45:14 hardened gcc? Jan 12 00:45:37 this doesn`t make any sense , Jan 12 00:46:04 on older gcc you could write even 260 bajtova and nothing would happen , and now it sigsegv with 256 bytes Jan 12 00:46:25 what is on the stack before eip Jan 12 00:47:23 base pointer Jan 12 00:47:49 i can control eip , if my buff is 256 , if i write 256 times A eip gets 0x41414141 Jan 12 00:47:54 how is this possible? Jan 12 00:47:58 that is my point Jan 12 00:48:00 i don`t know Jan 12 00:48:05 sec , i`ll paste it Jan 12 00:48:14 char buf[256]?? Jan 12 00:48:26 kompajlaj s -ggdb Jan 12 00:48:31 i pogledaj di je buffer Jan 12 00:48:38 moguce da ako ga ne koristis da ga gcc smanji Jan 12 00:49:05 Starting program: /home/ea/test `perl -e 'print "A"x256'` Jan 12 00:49:05 (no debugging symbols found) Jan 12 00:49:05 warning: Lowest section in system-supplied DSO at 0xffffe000 is .hash at ffffe0b4 Jan 12 00:49:05 (no debugging symbols found) Jan 12 00:49:05 (no debugging symbols found) Jan 12 00:49:05 Program received signal SIGSEGV, Segmentation fault. Jan 12 00:49:05 0x41414141 in ?? () Jan 12 00:49:05 (gdb) Jan 12 00:49:17 give the source Jan 12 00:49:33 main(int argc, char **argv) Jan 12 00:49:33 { Jan 12 00:49:33 char buff[256]; Jan 12 00:49:33 strcpy(buff,argv[1]); Jan 12 00:49:33 //return 0; Jan 12 00:49:33 } Jan 12 00:49:44 plus jos jedan / kod return Jan 12 00:50:16 disas main ? Jan 12 00:50:23 how much does it sub from esp Jan 12 00:51:18 0x114 Jan 12 00:51:28 which is little more than 256 Jan 12 00:51:31 0x080483a4 : lea 0x4(%esp),%ecx Jan 12 00:51:31 0x080483a8 : and $0xfffffff0,%esp Jan 12 00:51:31 0x080483ab : pushl 0xfffffffc(%ecx) Jan 12 00:51:31 0x080483ae : push %ebp Jan 12 00:51:31 0x080483af : mov %esp,%ebp Jan 12 00:51:31 0x080483b1 : push %ecx Jan 12 00:51:31 0x080483b2 : sub $0x114,%esp Jan 12 00:51:31 0x080483b8 : mov 0x4(%ecx),%eax Jan 12 00:51:31 0x080483bb : add $0x4,%eax Jan 12 00:51:31 0x080483be : mov (%eax),%eax Jan 12 00:51:31 0x080483c0 : mov %eax,0x4(%esp) Jan 12 00:51:31 0x080483c4 : lea 0xfffffefc(%ebp),%eax Jan 12 00:51:31 0x080483ca : mov %eax,(%esp) Jan 12 00:51:31 0x080483cd : call 0x80482b8 Jan 12 00:51:31 0x080483d2 : add $0x114,%esp Jan 12 00:51:31 0x080483d8 : pop %ecx Jan 12 00:51:31 0x080483d9 : pop %ebp Jan 12 00:51:31 0x080483da : lea 0xfffffffc(%ecx),%esp Jan 12 00:51:31 0x080483dd : ret Jan 12 00:52:18 (gdb) i r Jan 12 00:52:18 eax 0xffc199b4 -4089420 Jan 12 00:52:18 ecx 0xffc19a00 -4089344 Jan 12 00:52:18 edx 0xffc1b9a3 -4081245 Jan 12 00:52:18 ebx 0x86dff4 8839156 Jan 12 00:52:18 esp 0xffc19a00 0xffc19a00 Jan 12 00:52:18 ebp 0xffc19b28 0xffc19b28 Jan 12 00:52:18 esi 0x71aca0 7449760 Jan 12 00:52:18 edi 0x0 0 Jan 12 00:52:18 eip 0x41414141 0x41414141 Jan 12 00:52:18 eflags 0x10286 [ PF SF IF RF ] Jan 12 00:52:18 cs 0x23 35 Jan 12 00:52:18 ss 0x2b 43 Jan 12 00:52:18 ds 0x2b 43 Jan 12 00:52:18 es 0x2b 43 Jan 12 00:52:18 fs 0x0 0 Jan 12 00:52:18 gs 0x63 99 Jan 12 00:52:18 (gdb) Jan 12 00:52:32 lea 0x4(%esp),%ecx Jan 12 00:52:32 look , only EIP is 0x41414141, EBP should be too Jan 12 00:53:06 23:57 <~ea> 0x080483d8 : pop %ecx Jan 12 00:53:06 23:57 <~ea> 0x080483d9 : pop %ebp Jan 12 00:53:17 add $0x114,%esp Jan 12 00:53:40 stack looks diferent after that strcpy Jan 12 00:54:08 that i can see Jan 12 00:54:53 x/x 0xfffffffc + $ecx ? Jan 12 00:57:05 sec Jan 12 00:57:32 (gdb) r `perl -e 'print "A"x256'` Jan 12 00:57:32 The program being debugged has been started already. Jan 12 00:57:32 Start it from the beginning? (y or n) y Jan 12 00:57:32 Starting program: /home/ea/test `perl -e 'print "A"x256'` Jan 12 00:57:32 (no debugging symbols found) Jan 12 00:57:32 warning: Lowest section in system-supplied DSO at 0xffffe000 is .hash at ffffe0b4 Jan 12 00:57:32 (no debugging symbols found) Jan 12 00:57:32 (no debugging symbols found) Jan 12 00:57:32 Program exited with code 0344. Jan 12 00:57:32 (gdb) Jan 12 00:57:33 look at this Jan 12 00:57:38 this is no good Jan 12 00:57:59 (gdb) r `perl -e 'print "A"x256'` Jan 12 00:57:59 Starting program: /home/ea/test `perl -e 'print "A"x256'` Jan 12 00:57:59 (no debugging symbols found) Jan 12 00:57:59 warning: Lowest section in system-supplied DSO at 0xffffe000 is .hash at ffffe0b4 Jan 12 00:57:59 (no debugging symbols found) Jan 12 00:57:59 (no debugging symbols found) Jan 12 00:57:59 Program received signal SIGSEGV, Segmentation fault. Jan 12 00:57:59 0x41414141 in ?? () Jan 12 00:57:59 (gdb) Jan 12 00:58:01 one time i sigsegvs , and the other it just exits fine Jan 12 00:58:11 even more confused now Jan 12 00:58:26 random stack addr? Jan 12 00:58:32 (gdb) x/x 0xfffffffc + $ecx Jan 12 00:58:32 0xffdb73fc: 0x41414141 Jan 12 00:58:32 (gdb) Jan 12 00:58:34 yes Jan 12 00:58:39 i got ASLR Jan 12 00:59:53 why not , lesser padding depending on address Jan 12 01:00:11 bp *0x080483d2 Jan 12 01:00:22 but then again , how come only EIP is 0x41414141 and not the rest Jan 12 01:00:23 i r esp Jan 12 01:00:37 ni; i r esp Jan 12 01:01:05 Breakpoint 1, 0x080483d2 in main () Jan 12 01:01:05 (gdb) i r Jan 12 01:01:05 eax 0xffef2484 -1104764 Jan 12 01:01:05 ecx 0xfffffbe2 -1054 Jan 12 01:01:05 edx 0xffef29a3 -1103453 Jan 12 01:01:05 ebx 0x86dff4 8839156 Jan 12 01:01:05 esp 0xffef2470 0xffef2470 Jan 12 01:01:05 ebp 0xffef2588 0xffef2588 Jan 12 01:01:05 esi 0x71aca0 7449760 Jan 12 01:01:05 edi 0x0 0 Jan 12 01:01:05 eip 0x80483d2 0x80483d2 Jan 12 01:01:05 eflags 0x246 [ PF ZF IF ] Jan 12 01:01:05 cs 0x23 35 Jan 12 01:01:05 ss 0x2b 43 Jan 12 01:01:05 ds 0x2b 43 Jan 12 01:01:05 es 0x2b 43 Jan 12 01:01:05 fs 0x0 0 Jan 12 01:01:05 gs 0x63 99 Jan 12 01:01:05 (gdb) Jan 12 01:01:17 ni; i r ecx; ni; i r ebp; Jan 12 01:01:59 i r ecx? Jan 12 01:02:57 sec Jan 12 01:03:33 0x080483d8 in main () Jan 12 01:03:33 (gdb) i r esp Jan 12 01:03:33 esp 0xff98d824 0xff98d824 Jan 12 01:03:33 (gdb) ni Jan 12 01:03:33 0x080483d9 in main () Jan 12 01:03:33 (gdb) i r ecx Jan 12 01:03:33 ecx 0xff98d800 -6760448 Jan 12 01:03:33 (gdb) ni Jan 12 01:03:33 0x080483da in main () Jan 12 01:03:33 (gdb) i r ebp Jan 12 01:03:33 ebp 0xff98d898 0xff98d898 Jan 12 01:03:33 (gdb) i r ecx Jan 12 01:03:33 ecx 0xff98d800 -6760448 Jan 12 01:03:33 (gdb) Jan 12 01:04:35 fuck if i know Jan 12 01:06:08 do some more ni Jan 12 01:06:20 it is posible that it dies in some other function Jan 12 01:06:34 (gdb) ni Jan 12 01:06:34 0x080483dd in main () Jan 12 01:06:34 (gdb) ni Jan 12 01:06:34 0x41414141 in ?? () Jan 12 01:06:37 nope Jan 12 01:07:04 where was that Jan 12 01:07:37 nope , not it Jan 12 01:07:45 0x080483da : lea 0xfffffffc(%ecx),%esp Jan 12 01:07:45 0x080483dd : ret Jan 12 01:11:49 eeee Jan 12 01:12:42 da Jan 12 01:12:43 oooo Jan 12 01:13:00 ti nemas milosti /*h4z4rd is pissed of on some code he`s writting , not related to this*/ Jan 12 01:13:21 ? si ti pio nesto ? deterdzent neki :) sta ti je :) Jan 12 01:15:09 ret is equal as pop ebp, pop eip? Jan 12 01:15:23 pop orients itself with esp Jan 12 01:15:45 esp is taken by lea 0xfffffffc(%ecx),%esp Jan 12 01:15:56 pop ebp , da Jan 12 01:16:08 da Jan 12 01:16:39 sto bi znacilo ako 0xfffffffc(%ecx) pokazuje na dio buffera skinut cemo 0x414141 ka uzimamo eip? Jan 12 01:16:53 00:04 <~ea> (gdb) x/x 0xfffffffc + $ecx Jan 12 01:16:54 00:04 <~ea> 0xffdb73fc: 0x41414141 Jan 12 01:17:25 dobro Jan 12 01:18:10 ali zasto ? Jan 12 01:19:46 dobro , sad znam zasto je tako , ali zasto je generisao takav kod , i zasto puca dva puta od 3 pokusaja Jan 12 01:20:28 cek da ugasim random stack pa da probam Jan 12 01:20:33 sad treba vidjet kako padding utjece na ecx Jan 12 01:20:35 nemoj Jan 12 01:20:38 ajmo vidit ovo prvo Jan 12 01:20:50 ajd Jan 12 01:20:57 to je varanje :P Jan 12 01:21:53 0x080483d2 : add $0x114,%esp Jan 12 01:21:53 0x080483d8 : pop %ecx Jan 12 01:21:53 0x080483d9 : pop %ebp Jan 12 01:21:53 0x080483da : lea 0xfffffffc(%ecx),%esp Jan 12 01:21:53 0x080483dd : ret Jan 12 01:21:56 bp *0x080483a8 Jan 12 01:21:59 bp *0x080483ab Jan 12 01:22:53 i r ecx Jan 12 01:22:56 x/x 0xfffffffc+$ecx Jan 12 01:23:02 ecx 0xff81b7e0 -8276000 Jan 12 01:23:32 (gdb) i r ecx Jan 12 01:23:32 ecx 0xff81b7e0 -8276000 Jan 12 01:23:32 (gdb) i r esp Jan 12 01:23:32 esp 0xff81b7dc 0xff81b7dc Jan 12 01:23:32 (gdb) i r ebp Jan 12 01:23:32 ebp 0xff81b838 0xff81b838 Jan 12 01:23:32 (gdb) Jan 12 01:23:35 first bp Jan 12 01:24:02 (gdb) i r esp Jan 12 01:24:02 esp 0xff81b7d0 0xff81b7d0 Jan 12 01:24:02 (gdb) i r ebp Jan 12 01:24:02 ebp 0xff81b838 0xff81b838 Jan 12 01:24:02 (gdb) i r ecx Jan 12 01:24:02 ecx 0xff81b7e0 -8276000 Jan 12 01:24:02 (gdb) Jan 12 01:24:06 second bp Jan 12 01:26:04 x/x 0xfffffffc + $ecx on a second bp? Jan 12 01:26:31 (gdb) x/x 0xfffffffc + $ecx Jan 12 01:26:31 0xff81b7dc: 0x00733f70 Jan 12 01:26:31 (gdb) Jan 12 01:29:35 hahahaha Jan 12 01:29:40 whata sick optimisation Jan 12 01:29:47 lea 0x4(%esp),%ecx Jan 12 01:30:57 call 0x80482b8 Jan 12 01:31:04 strcpy takes 2 args Jan 12 01:31:59 mov %eax,0x4(%esp) Jan 12 01:32:02 ovo je drugi Jan 12 01:32:31 trebam dodat to u svoj kompajler :D Jan 12 01:33:05 :) Jan 12 01:33:22 mov %eax,0x4(%esp) Jan 12 01:33:32 try to turn off optimization :D Jan 12 01:34:31 it is off Jan 12 01:34:43 -O0 ? Jan 12 01:35:18 it`s the same Jan 12 01:35:49 some smart compiler :D Jan 12 01:36:03 even with -03 it turns out the same Jan 12 01:36:24 -S Jan 12 01:36:56 sec Jan 12 01:37:10 leal 4(%esp), %ecx Jan 12 01:37:10 andl $-16, %esp Jan 12 01:37:10 pushl -4(%ecx) Jan 12 01:37:10 pushl %ebp Jan 12 01:37:10 movl %esp, %ebp Jan 12 01:37:10 pushl %ecx Jan 12 01:37:10 subl $276, %esp Jan 12 01:37:10 movl 4(%ecx), %eax Jan 12 01:37:10 addl $4, %eax Jan 12 01:37:10 movl (%eax), %eax Jan 12 01:37:10 movl %eax, 4(%esp) Jan 12 01:37:10 leal -260(%ebp), %eax Jan 12 01:37:10 movl %eax, (%esp) Jan 12 01:37:10 call strcpy Jan 12 01:37:10 addl $276, %esp Jan 12 01:37:10 popl %ecx Jan 12 01:37:10 popl %ebp Jan 12 01:37:10 leal -4(%ecx), %esp Jan 12 01:37:10 ret Jan 12 01:37:42 looks the same to me :)) Jan 12 01:37:47 ;D Jan 12 01:40:55 eee Jan 12 01:41:13 lea 0xfffffefc(%ebp),%eax Jan 12 01:41:19 mov %eax,(%esp) Jan 12 01:41:59 that is 260 bytes below ebp Jan 12 01:42:24 and esp is substracted with 276 Jan 12 01:44:46 am i gone nuts or you just owned EIP with 256 bytes ?? Jan 12 01:45:21 it looks so Jan 12 01:45:30 let me check something Jan 12 01:46:37 (gdb) r `perl -e 'print "A"x252 . "B"x4'` Jan 12 01:46:37 Starting program: /home/ea/test `perl -e 'print "A"x252 . "B"x4'` Jan 12 01:46:37 (no debugging symbols found) Jan 12 01:46:37 warning: Lowest section in system-supplied DSO at 0xffffe000 is .hash at ffffe0b4 Jan 12 01:46:37 (no debugging symbols found) Jan 12 01:46:37 (no debugging symbols found) Jan 12 01:46:37 Program received signal SIGSEGV, Segmentation fault. Jan 12 01:46:37 0x41414141 in ?? () Jan 12 01:46:37 (gdb) Jan 12 01:46:51 that is what i tought , didn`t own it actualy :) Jan 12 01:47:51 main(int argc, char **argv) Jan 12 01:47:51 { Jan 12 01:47:51 char buff[256]; Jan 12 01:47:51 strcpy(buff,argv[1]); Jan 12 01:47:51 //return 0; Jan 12 01:47:51 } Jan 12 01:49:46 i can`t watch this anymore Jan 12 01:49:48 :D Jan 12 01:49:58 0x08048428 : push %ebp Jan 12 01:49:58 0x08048429 : mov %esp,%ebp Jan 12 01:49:58 0x0804842b : sub $0x118,%esp Jan 12 01:49:59 0x08048431 : and $0xfffffff0,%esp Jan 12 01:50:00 0x08048434 : mov $0x0,%eax Jan 12 01:50:01 0x08048439 : add $0xf,%eax Jan 12 01:50:04 0x0804843c : add $0xf,%eax Jan 12 01:50:05 * hess has quit (Quit: Leaving) Jan 12 01:50:06 0x0804843f : shr $0x4,%eax Jan 12 01:50:09 0x08048442 : shl $0x4,%eax Jan 12 01:50:11 0x08048445 : sub %eax,%esp Jan 12 01:50:14 0x08048447 : mov 0xc(%ebp),%eax Jan 12 01:50:16 0x0804844a : add $0x4,%eax Jan 12 01:50:19 0x0804844d : mov (%eax),%eax Jan 12 01:50:22 0x0804844f : mov %eax,0x4(%esp) Jan 12 01:50:24 0x08048453 : lea -0x108(%ebp),%eax Jan 12 01:50:27 on this machine Jan 12 01:50:31 which gcc? Jan 12 01:50:34 0x08048459 : mov %eax,(%esp) Jan 12 01:50:36 0x0804845c : call 0x8048330 Jan 12 01:50:36 0x08048461 : leave Jan 12 01:50:36 0x08048462 : ret Jan 12 01:50:47 gcc version 3.4.6 (Gentoo Hardened 3.4.6-r2 p1.5, ssp-3.4.6-1.0, pie-8.7.10) Jan 12 01:50:49 aha Jan 12 01:50:56 gcc version 4.1.2 20070925 (Red Hat 4.1.2-27) Jan 12 01:51:16 well , i`ve tryed it on gcc 3 and it works "normal" Jan 12 01:53:13 they probably hardcoded this so that whenever somebody tries to compile this source it turns like this , just to screw up with the ppl trying to get buffer overflows :))) Jan 12 01:56:23 can you put that elf somewhere so i can get it ? Jan 12 01:57:50 cek sec Jan 12 01:59:33 foundation.phearless.org/test Jan 12 02:00:44 Program received signal SIGSEGV, Segmentation fault. Jan 12 02:00:44 0x41414141 in ?? () Jan 12 02:02:15 ? Jan 12 02:02:55 it`s the same here Jan 12 02:05:13 try it more that once, does it dies sometimes and just exits sometimes Jan 12 02:08:38 want to see something interesting :) Jan 12 02:08:48 (gdb) x/x $esp+116 Jan 12 02:08:48 0xb47eec70: 0x41414141 Jan 12 02:08:53 (gdb) x/x $esp-0x88 Jan 12 02:08:53 0xb47eeb74: 0x41414141 Jan 12 02:09:06 it actualy overwrites 414 bytes on the stack Jan 12 02:10:03 it doesn`t sigsegv always Jan 12 02:10:24 ?!???!??! Jan 12 02:10:36 where does it get 414 bytes? :) Jan 12 02:11:22 seems like it overwrites ENV ... Jan 12 02:14:22 this could be some king of gcc bug Jan 12 02:14:48 they probably hardcoded this so that whenever somebody tries to compile this source it turns like this , just to screw up with the ppl trying to get buffer overflows i tell ya :))) Jan 12 02:14:49 (gdb) break main Jan 12 02:14:49 Breakpoint 1 at 0x80483b2 Jan 12 02:14:49 it breaks right in the middle of main , wtf ??? Jan 12 02:16:33 they are legends if they did :D Jan 12 02:16:43 they realy are :))) Jan 12 02:17:53 (gdb) disas _start Jan 12 02:17:54 Dump of assembler code for function _start: Jan 12 02:17:54 0x080482d0 : xor %ebp,%ebp Jan 12 02:17:54 0x080482d2 : pop %esi Jan 12 02:17:54 0x080482d3 : mov %esp,%ecx Jan 12 02:19:44 now i am even more confused that when we started:)