Vulnerability Development mailing list archives
Re: koules buffer overflows
From: typo () INFERNO TUSCULUM EDU (typo () INFERNO TUSCULUM EDU)
Date: Sat, 22 Apr 2000 02:35:09 +0200
On Fri, Apr 21, 2000 at 10:35:40AM -0500, Robert wrote:
client.h: extern char servername[256];
This is no classic stack buffer overflow. It's a heap overflow. Memory looks like this: $ objdump --all-headers koules.svga | sort | grep -B0 -A3 servername 00000000081aa460 g O .bss 0000000000000100 servername 00000000081aa560 g O .bss 0000000000000100 b 00000000081aa660 g O .bss 0000000000000004 buffer 00000000081aa664 g O *ABS* 0000000000000000 _end (gdb) info r ebx 0x4017748c 1075278988 esp 0xbffffb60 0xbffffb60 eip 0x40126970 0x40126970 %esp is where the top of stack currently is.. 0xbffffb60 - 0x81aa460 = 0xb7e55500 as you can see that's far off from servername... so no overwriting of EIP or EBP. so what can you do ? well.. in this special case i don't see much you can do.. servername is near the end of the section, all you can overwrite is b and buffer. i haven't looked at their specific uses, but looking at their names i doubt they'll be useful. I can't reproduce your segfault after 2160 bytes, but i get the same results after 524 bytes. This makes sense, because 0x81aa664 - 0x81aa460 (servername) = 516. The different results probably are due to different binaries. For a better understanding of heap overflows i recommend w00w00's article about them (somewhere on w00w00.org).
Once again, this seems really trivial, but it's a bit more complicated. the function init is later called in the function main() of the same file (koules.sndsrv.linux.c) however, that function main is not the only main. in svgalib/init.c the function main() is the one that runs and I haven't been able to see where in the hell the OTHER main is called from, or for that matter where any of the functions of that file are called from. So as far as this one goes, I have no clue on how to make it overflow. Once again, any help would be great.
it's a seperate binary called from sound.c (line 70). Without further investigation of the exploit possibilities: $ ./koules.sndsrv.linux <xxxxx...> x koules.sndsrv: Couldn't set DSP fragment. Sounds will be ugly and delayed. Use USS lite driver! koules.sndsrv: Couldn't set DSP rate! koules.sndsrv: Couldn't set Fragment Size. Assuming PC Speaker! 2 Segmentation fault (core dumped) Hope that helped. typo/teso
Current thread:
- koules buffer overflows Robert (Apr 21)
- Re: koules buffer overflows typo () INFERNO TUSCULUM EDU (Apr 21)
- Re: koules buffer overflows typo () INFERNO TUSCULUM EDU (Apr 21)
- Re: koules buffer overflows typo () INFERNO TUSCULUM EDU (Apr 21)