-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Matthews wrote: > I would recommend doing the following things. > > 1. Ask on the Ubuntu GCC list what protection is implemented. (Or just look > at the source) > 2. Use GCC to see where the execution is being redirected and so you can > have a better visual of whats going on. > 3. Are you sure the stack is executable? > > > > On Sat, Feb 14, 2009 at 12:30 AM, Marcus Meissner <[email protected]> wrote: > >> On Fri, Feb 13, 2009 at 11:50:11AM -0500, Jason Starks wrote: >>> I came across a problem that I am sure many security researchers have >> seen >>> before: >>> >>> ja...@uboo:~$ cat bof.c >>> #include <stdio.h> >>> #include <string.h> >>> >>> int main() >>> { >>> >>> char buf[512]; >>> >>> memset(buf, 'A', 528); >>> >>> return 0; >>> >>> } >>> ja...@uboo:~$ >>> >>> ja...@uboo:~$ ./bof >>> *** stack smashing detected ***: ./bof terminated >>> ======= Backtrace: ========= >>> /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f08548] >>> ja...@uboo:~$ >>> >>> I have googled my brains out for a solution, but all I have gathered is >> that >>> my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the >>> return address it also overwrites the canary's value, and triggers a stop >> in >>> the program. I've disassembled it and anybody who can help me probably >>> doesn't need me to explain much more, but I would like to know a way to >> get >>> this. There seems to be some people on this list who may know something >> on >>> how to exploit on *nix systems with this protection enabled. >>> >>> I do not want to just disable the protection and exploit it normally, I >> want >> >> Perhaps you should learn first exactly _what_ caught your buffer overflow. >> >> Hint: It was not SSP aka -fstack-protector. >> >> Ciao, Marcus >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Ubuntu and recent kernels also implement ASLR. So, that may be the issue, besides StackGuard. Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD4DBQFJmXGAH+KgkfcIQ8cRAmG0AJ0c9rFv2hd43oP2iR8EYCRC0gwKgwCYpXqo 1kRbO2tqcJ31JrUw3uNiRA== =FGDQ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
