Vulnerability Development mailing list archives
Re: overwriting .dtors using gcc 3
From: DownBload <downbload () hotmail com>
Date: 7 Oct 2003 18:20:09 -0000
In-Reply-To: <20031004015114.4815.qmail () sf-www2-symnsj securityfocus com> Hi, Yes, there is a problem with exploitation of "data section" buffer overflows in newer gcc's if you want to overwrite .dtors section. Here is example: level16.c ---cut here--- /* W4rCr0-21 - LEVEL XVI coded by DownBload TIP: What about .data??? Simple... */ #include <stdio.h> #include <stdlib.h> main (int argc, char **argv) { static char in[256]="FUCKYOUASSHOLE!!!"; // <- this will be in .data section system ("/usr/bin/clear"); printf ("#########################\n"); printf ("# W4rCr0-21 - LEVEL XVI #\n"); printf ("#########################\n"); printf ("- What can you do with this???\n\n"); printf ("> This wargame is c00l, isn't it???\n"); gets (in); } ---cut here--- On older gcc, everything is ok: # gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) # gcc level16.c -o level16 # objdump -h ./level16 ....... 13 .rodata 000000e5 080484e0 080484e0 000004e0 2**5 CONTENTS, ALLOC, LOAD, READONLY, DATA 14 .data 00000120 080495e0 080495e0 000005e0 2**5 CONTENTS, ALLOC, LOAD, DATA 15 .eh_frame 00000004 08049700 08049700 00000700 2**2 CONTENTS, ALLOC, LOAD, DATA 16 .ctors 00000008 08049704 08049704 00000704 2**2 CONTENTS, ALLOC, LOAD, DATA 17 .dtors 00000008 0804970c 0804970c 0000070c 2**2 CONTENTS, ALLOC, LOAD, DATA 18 .got 00000028 08049714 08049714 00000714 2**2 CONTENTS, ALLOC, LOAD, DATA 19 .dynamic 000000a0 0804973c 0804973c 0000073c 2**2 ....... So, we have .data, .eh_frame, .ctors and .dtors section. Our variable (static char in[256]) is in .data section and it is easy to overwrite .dtors. But in newer gcc we have problems... #gcc -v Reading specs from /usr/lib/gcc-lib/i386-linux/2.95.4/specs gcc version 2.95.4 20011002 (Debian prerelease) # gcc level16.c -o level16 # objdump -h ./level16 ..... 13 .rodata 000000e5 080484e0 080484e0 000004e0 2**5 CONTENTS, ALLOC, LOAD, READONLY, DATA 14 .data 00000120 08049640 08049640 00000640 2**5 CONTENTS, ALLOC, LOAD, DATA 15 .eh_frame 00000004 08049760 08049760 00000760 2**2 CONTENTS, ALLOC, LOAD, DATA 16 .dynamic 000000c8 08049764 08049764 00000764 2**2 CONTENTS, ALLOC, LOAD, DATA 17 .ctors 00000008 0804982c 0804982c 0000082c 2**2 CONTENTS, ALLOC, LOAD, DATA 18 .dtors 00000008 08049834 08049834 00000834 2**2 CONTENTS, ALLOC, LOAD, DATA 19 .got 00000028 0804983c 0804983c 0000083c 2**2 ..... Now we see .dynamic section between .data and .dtors section. That section will be overflowed if we want to overflow .dtors, and that is not good. .dtors technique will still work for format string bugs, wild pointers etc.
From: <mvoropaev () hotmail com> To: vuln-dev () securityfocus com Subject: overwriting .dtors using gcc 3 Could anyone please tell why the standard technique of overwriting .dtors section (overflow) does not work with gcc3?
Regards, DownBload / Illegal Instruction Labs
Current thread:
- overwriting .dtors using gcc 3 mvoropaev (Oct 06)
- <Possible follow-ups>
- Re: overwriting .dtors using gcc 3 DownBload (Oct 08)
- Re: overwriting .dtors using gcc 3 Marco Ivaldi (Oct 09)
- RE: overwriting .dtors using gcc 3 BORJA RUIZ CASTRO MORON (Oct 08)