Re: heap overflows

[<sigsegv () ureach com>]

In-Reply-To: <20040227015333.879B633C18 () sig11 zemos net>

> Received: (qmail 6295 invoked from network); 27 Feb 2004 01:26:42 -0000
> Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 27 Feb 2004 01:26:42 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 330B490010; Thu, 26 Feb 2004 13:59:43 -0700 (MST)
> Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <vuln-dev.list-id.securityfocus.com>
> List-Post: <mailto:vuln-dev () securityfocus com>
> List-Help: <mailto:vuln-dev-help () securityfocus com>
> List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com>
> Delivered-To: mailing list vuln-dev () securityfocus com
> Delivered-To: moderator for vuln-dev () securityfocus com
> Received: (qmail 23695 invoked from network); 26 Feb 2004 19:43:24 -0000
> Date: Thu, 26 Feb 2004 17:53:33 -0000
> From: "Vlad902" <vlad () sig11 zemos net>
> To: vuln-dev () securityfocus com
> Cc: sigsegv () ureach com
> Reply-To: "Vlad902" <vlad () sig11 zemos net>
> Subject: Re: heap overflows
> X-Priority: 3
> X-Mailer: UebiMiau 2.7.2
> X-Original-IP: 66.133.243.186
> Content-Transfer-Encoding: 8bit
> X-MSMail-Priority: Medium
> Importance: Medium
> Content-Type: text/plain; charset="iso-8859-1";
> MIME-Version: 1.0
> Message-Id: <20040227015333.879B633C18 () sig11 zemos net>
>
> >      printf("copied");
> >      free(malloced_buffer1);
> >      free(malloced_buffer2);
>
> This part of the code is incorrect, you're depending
> on the first chunk to hold your shellcode, and you
> are freeing it before you overwrite the GOT with the
> free(malloced_buffer2);. Also you don't a printf();
> statement after the free(malloced_buffer2); so it
> never returns to the shellcode (if it was there)! I
> recommend you remove the free(malloced_buffer1); and
> instead of messing with the GOT instead instead just
> overwrite __DTOR_END__ and be lazy :)
>
>
> You may also just for debugging purposes add a
> "xccxcc" instead of "xebx0c", which will make
> it a trace/breakpoint trap, so that if it ever
> hits it, your program will stop with a
> trace/breakpoint trap and will core dump, so you
> know it is hitting the shellcode.
oops...i think i mistyped something in this email. Here is how i actually had it:
...
strcpy(malloced_buffer1,argv[1]);
free(malloced_buffer1);
printf("something inconsequential");
free(malloced_buffer2);
/* end of main */

As u rightly said, i placed the printf between the two free's so that the first free would allow me to overwrite the 
GOT of the following printf.
Things did work still....does gcc3 or the version of glibc i'm using has any heap protections in place? 
thanks for ur reply --sigsegv.