Vulnerability Development mailing list archives
Re: Regex or Progress? Whos fault? - How to exploit free()
From: KF <dotslash () snosoft com>
Date: Mon, 25 Mar 2002 12:20:54 -0500
3APA3A wrote:
While we are on the subject of free() ... can someone explain to me why a series of jmps need to be placed infront of the shellcode during an attempt to use the "unlink macro" to execute shellcode. Here are my notes from attempting to exploit free() on a powerpc box. Heres a snapshot of the chunk I would use to take advantage of a test program.Dear KF, free() failed because it was heap overflow before free() was called and memory chunk was overwritten by your data ("AAA..."). So the bug is definitely NOT in regexp, but in progress itself, because overflow was before destructor was ever called. This kind of overflows may be exploitable.
Starting program: /root/./freeme chunk is at 0x100107d8 Program received signal SIGSEGV, Segmentation fault. 0xff3ae04 in free () from /lib/libc.so.6 (gdb) x/10a 0x100107d8 0x100107d8: 0xfffffff0 0x8 0x41414141 0x42424242 <prev_size> <size> <fd or data> <bk or data> 0x100107e8: 0x0 0x0 0x43434340 0x44444444 <return> <shellcode>As I understand free() exploitation (I could be wrong as I am learning)... In the areas represented above by 0x41414141 0x42424242 and 0x44444444 I should place the address of my shellcode. In the area noted as 0x43434340 I need to place the adderss of the GOT table entry I want to change minus 12 (on ppc. -4 on intel?).
[root@ibook root]# objdump -R freeme | grep exit 100108c0 R_PPC_JMP_SLOT exitSo when I put all that together and test it with the sample program I come up with the following. (gdb) r
Starting program: /root/./freeme chunk is at 0x10010910 shellcode is at 0x7ffff7e8 address written Program received signal SIGILL, Illegal instruction. 0x100108c0 in exit () (gdb) x/10a 0x100108c0 0x100108c0 <exit>: 0x7ffff7e8 0x4bffffa4 0x4bf2a3e4 0x4bffff9c 0x100108d0 <free+8>: 0x0 0x0 0x0 0x0 0x100108e0 <free+24>: 0x0 0x0 (gdb) x/10s 0x7ffff7e8 0x7ffff7e8: "8`\00178c?o^\020\001\b?\177A`\036pDy"y"\002|?*x@\202y"i'\177e`\002&;y"\00108\177?o^\220ay"?\220?y"u"8\201y"?;A`\001`\177A`.pDy"y"\002/bin/sh"As you can see the first address in exit() now points to my shellcode located at 0x7ffff7e8... and my shellcode it definately there. However I just get a SIGILL. I assume this is due to the fact that I need some jmps before my shellcode.... Can someone shed some light on this for me? Also who knows the equivilant of a "short jmp" on ppc hardware. -KF
Current thread:
- Regex or Progress? Whos fault? KF (Mar 23)
- Re: Regex or Progress? Whos fault? 3APA3A (Mar 25)
- Re: Regex or Progress? Whos fault? - How to exploit free() KF (Mar 25)
- Re: Regex or Progress? Whos fault? 3APA3A (Mar 25)