Vulnerability Development mailing list archives
Re: heap overflows
From: <sigsegv () ureach com>
Date: 27 Feb 2004 05:37:28 -0000
In-Reply-To: <20040227015333.879B633C18 () sig11 zemos net>
Received: (qmail 6295 invoked from network); 27 Feb 2004 01:26:42 -0000 Received: from outgoing2.securityfocus.com (205.206.231.26) by mail.securityfocus.com with SMTP; 27 Feb 2004 01:26:42 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id 330B490010; Thu, 26 Feb 2004 13:59:43 -0700 (MST) Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <vuln-dev.list-id.securityfocus.com> List-Post: <mailto:vuln-dev () securityfocus com> List-Help: <mailto:vuln-dev-help () securityfocus com> List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com> List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com> Delivered-To: mailing list vuln-dev () securityfocus com Delivered-To: moderator for vuln-dev () securityfocus com Received: (qmail 23695 invoked from network); 26 Feb 2004 19:43:24 -0000 Date: Thu, 26 Feb 2004 17:53:33 -0000 From: "Vlad902" <vlad () sig11 zemos net> To: vuln-dev () securityfocus com Cc: sigsegv () ureach com Reply-To: "Vlad902" <vlad () sig11 zemos net> Subject: Re: heap overflows X-Priority: 3 X-Mailer: UebiMiau 2.7.2 X-Original-IP: 66.133.243.186 Content-Transfer-Encoding: 8bit X-MSMail-Priority: Medium Importance: Medium Content-Type: text/plain; charset="iso-8859-1"; MIME-Version: 1.0 Message-Id: <20040227015333.879B633C18 () sig11 zemos net>printf("copied"); free(malloced_buffer1); free(malloced_buffer2);This part of the code is incorrect, you're depending on the first chunk to hold your shellcode, and you are freeing it before you overwrite the GOT with the free(malloced_buffer2);. Also you don't a printf(); statement after the free(malloced_buffer2); so it never returns to the shellcode (if it was there)! I recommend you remove the free(malloced_buffer1); and instead of messing with the GOT instead instead just overwrite __DTOR_END__ and be lazy :) You may also just for debugging purposes add a "xccxcc" instead of "xebx0c", which will make it a trace/breakpoint trap, so that if it ever hits it, your program will stop with a trace/breakpoint trap and will core dump, so you know it is hitting the shellcode.
oops...i think i mistyped something in this email. Here is how i actually had it: ... strcpy(malloced_buffer1,argv[1]); free(malloced_buffer1); printf("something inconsequential"); free(malloced_buffer2); /* end of main */ As u rightly said, i placed the printf between the two free's so that the first free would allow me to overwrite the GOT of the following printf. Things did work still....does gcc3 or the version of glibc i'm using has any heap protections in place? thanks for ur reply --sigsegv.
Current thread:
- heap overflows sigsegv (Feb 26)
- Re: heap overflows Steven Hill (Feb 26)
- <Possible follow-ups>
- Re: heap overflows Vlad902 (Feb 26)
- Re: heap overflows sigsegv (Feb 27)
- Re: heap overflows Vlad902 (Feb 27)