Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: koules buffer overflows

From: typo () INFERNO TUSCULUM EDU (typo () INFERNO TUSCULUM EDU)
Date: Sat, 22 Apr 2000 02:35:09 +0200

On Fri, Apr 21, 2000 at 10:35:40AM -0500, Robert wrote:

client.h:  extern char          servername[256];


This is no classic stack buffer overflow. It's a heap overflow.
Memory looks like this:

$ objdump --all-headers koules.svga | sort | grep -B0 -A3 servername
00000000081aa460 g     O .bss   0000000000000100              servername
00000000081aa560 g     O .bss   0000000000000100              b
00000000081aa660 g     O .bss   0000000000000004              buffer
00000000081aa664 g     O *ABS*  0000000000000000              _end

(gdb) info r
ebx            0x4017748c       1075278988
esp            0xbffffb60       0xbffffb60
eip            0x40126970       0x40126970

%esp is where the top of stack currently is..
0xbffffb60 - 0x81aa460 = 0xb7e55500

as you can see that's far off from servername... so no overwriting of EIP
or EBP. so what can you do ?

well.. in this special case i don't see much you can do.. servername is
near the end of the section, all you can overwrite is b and buffer.
i haven't looked at their specific uses, but looking at their names i doubt
they'll be useful. I can't reproduce your segfault after 2160 bytes, but i
get the same results after 524 bytes. This makes sense, because
0x81aa664 - 0x81aa460 (servername) = 516.
The different results probably are due to different binaries.

For a better understanding of heap overflows i recommend w00w00's
article about them (somewhere on w00w00.org).


Once again, this seems really trivial, but it's a bit more complicated.
the function init is later called in the
function main() of the same file (koules.sndsrv.linux.c) however, that
function main is not the only main.
in svgalib/init.c the function main() is the one that runs and I haven't
been able to see where in the hell
the OTHER main is called from, or for that matter where any of the
functions of that file are called from.
So as far as this one goes, I have no clue on how to make it overflow.
Once again, any help would be great.


it's a seperate binary called from sound.c (line 70).
Without further investigation of the exploit possibilities:

$ ./koules.sndsrv.linux <xxxxx...> x
koules.sndsrv: Couldn't set DSP fragment. Sounds will be ugly and delayed.
Use USS lite driver!
koules.sndsrv: Couldn't set DSP rate!
koules.sndsrv: Couldn't set Fragment Size.
Assuming PC Speaker!
2

Segmentation fault (core dumped)

Hope that helped.

    typo/teso
Previous By Date Next
Previous By Thread Next

Current thread: