Date: Wed, 10 Feb 1999 16:47:15 -0500 (EST) From: Tasam Security <security@tasam.com> To: security@FreeBSD.ORG Subject: lcall ? Message-ID: <Pine.BSF.3.96.990210163852.6058A-100000@tasam.com>
next in thread | raw e-mail | index | archive | help
This may be a stupid question, I was playing with some shellcode and writing some under freebsd 2.2CAM, I noticed that instead of using int $0x80, an lcall 0x7,0x00 is used in the execve call... well I disassembled it: Dump of assembler code for function execve: 0x1218 <execve>: leal 0x3b,%eax 0x121e <execve+6>: lcall 0x7,0x0 0x1225 <execve+13>: jb 0x1210 <atexit+112> 0x1227 <execve+15>: ret End of assembler dump. (gdb) x/bx execve+6 0x121e <execve+6>: 0x9a 0x121f <execve+7>: 0x00 0x1220 <execve+8>: 0x00 0x1221 <execve+9>: 0x00 0x1222 <execve+10>: 0x00 0x1223 <execve+11>: 0x07 0x1224 <execve+12>: 0x00 0x1225 <execve+13>: 0x72 0x1226 <execve+14>: 0xe9 It appears that the lcall instruction has \x00 characters in it... and if I remember right, the shellcode can't contain any \x00's because strcpy(and others) will stop processing the buffer at that point and all the necessary code won't be copied, So if the lcall instruction contains \x00's then is it impossible to use it when writin goverflows? This would mean that if freebsd2.2CAM has no other way to call system calls then using lcall, you couldn't sucessfully use the standard exploit method on suid programs... Now I am by no means an experinced asm programmer, so I don' know if this is correct.. I just found it to be interesting... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990210163852.6058A-100000>