> > > > memset(buf, 'A', 528); > > Don't do that. This sort of "whoops" is exactly what the gcc SSP canary is > designed to stop. >
I could comment on this, but... I'll leave it. > > > I have googled my brains out for a solution, but all I have gathered is > that > > my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the > > return address it also overwrites the canary's value, and triggers a stop > in > > the program. I've disassembled it and anybody who can help me probably > > doesn't need me to explain much more, but I would like to know a way to > get > > this. There seems to be some people on this list who may know something > on > > how to exploit on *nix systems with this protection enabled. > > What you want to do is be more precise in your splatting. Instead of > one memset, see if you can come up with a way to do *two* memsets, which > leave your stack looking like: > > 'AAAAAAAAA' (above the canary) > <4 unmolested bytes of canary> > 'AAAAAAAAA' (below the canary) > > Of course, if you're trying to exploit already-existing code, you probably > only have one memset/strcpy you can abuse, and the starting address of the > destination is already nailed down, which means you need to fill in the > 4 bytes of canary correctly. This means you need to find a way to obtain > the value so you can use it. One hint - sometimes you're better off > targeting > the stack frame 2 or 3 function calls back, rather than the *current* > frame. > > You commenting on exploitation is kind of like asking a deaf person what their favorite song is. You obviously have no clue what you are talking about due to the fact you offered absolutely no insight in to the protection mechanism he was asking about, nor potential means of exploitation. Given this the real question remains, do you actually believe you have any clue about this stuff, or are you like Wallace and just want to post useless shit? -- ciao JT
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/