Re: overwriting .dtors using gcc 3

[DownBload <downbload () hotmail com>]

In-Reply-To: <20031004015114.4815.qmail () sf-www2-symnsj securityfocus com>

Hi,

Yes, there is a problem with exploitation of "data section" buffer overflows in newer gcc's if you want to overwrite 
.dtors section.
Here is example:

level16.c
---cut here---
/*
  W4rCr0-21 - LEVEL XVI coded by DownBload

  TIP: What about .data??? Simple... 
*/

#include <stdio.h>
#include <stdlib.h>

 
main (int argc, char **argv)
{
 static char in[256]="FUCKYOUASSHOLE!!!";    // <- this will be in .data section
  
 system ("/usr/bin/clear");

 printf ("#########################\n");
 printf ("# W4rCr0-21 - LEVEL XVI #\n");
 printf ("#########################\n");
 printf ("- What can you do with this???\n\n");

 printf ("> This wargame is c00l, isn't it???\n");
 gets (in);
 
}
---cut here---


On older gcc, everything is ok:

# gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
# gcc level16.c -o level16
# objdump -h ./level16

 .......
 13 .rodata       000000e5  080484e0  080484e0  000004e0  2**5
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 14 .data         00000120  080495e0  080495e0  000005e0  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 15 .eh_frame     00000004  08049700  08049700  00000700  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 16 .ctors        00000008  08049704  08049704  00000704  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 17 .dtors        00000008  0804970c  0804970c  0000070c  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 18 .got          00000028  08049714  08049714  00000714  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 19 .dynamic      000000a0  0804973c  0804973c  0000073c  2**2
 .......
 
So, we have .data, .eh_frame, .ctors and .dtors section. Our variable (static char in[256]) is in .data section and it 
is easy to overwrite .dtors.


But in newer gcc we have problems...

#gcc -v
Reading specs from /usr/lib/gcc-lib/i386-linux/2.95.4/specs
gcc version 2.95.4 20011002 (Debian prerelease)
# gcc level16.c -o level16
# objdump -h ./level16
 .....
 13 .rodata       000000e5  080484e0  080484e0  000004e0  2**5
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 14 .data         00000120  08049640  08049640  00000640  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 15 .eh_frame     00000004  08049760  08049760  00000760  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 16 .dynamic      000000c8  08049764  08049764  00000764  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 17 .ctors        00000008  0804982c  0804982c  0000082c  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 18 .dtors        00000008  08049834  08049834  00000834  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 19 .got          00000028  0804983c  0804983c  0000083c  2**2
 .....


Now we see .dynamic section between .data and .dtors section.  That section will be overflowed if we want to overflow 
.dtors, and that is not good.
.dtors technique will still work for format string bugs, wild pointers etc.


> From: <mvoropaev () hotmail com>
> To: vuln-dev () securityfocus com
> Subject: overwriting .dtors using gcc 3
>
>
>
> Could anyone please tell why the standard technique of overwriting .dtors section (overflow) does not work with gcc3?


Regards, 
DownBload / Illegal Instruction Labs