Re: static char overflow

[Sebastian <scut () nb in-berlin de>]

Hi.


On Thu, May 02, 2002 at 08:00:27PM +0800, - OUAH - wrote:

> you can see your buffer is located at bss section and there isnt another
> contiguous section after.

There is no static heap section afterwards, thats indeed true. But the
entire dynamic heap is initialized after the .bss section, and you can write
to it.

> you can make the vulnerable proggie segfault but only as it write to an
> unauthorized section (you cannot write after the bss section!). So this
> code is NOT exploitable (you can have a DoS but you cannot get a shell) in
> modern Linux.

I disagree. Its not exploitable in this simple example, as there is not much
code executed thereafter. But if there is some code that touches the dynamic
heap somehow (malloc, free, pointer writes, function pointers, anything
dynamic such as linked lists, ..) it would be most likely possible.


> Maybe it can be exploitable in other OS (and what about other file format
> than ELF?). I heard that it can be exploited in old linux if it is
> compiled as static (as ELF sections will not be in the same order).
 
No, when the binary is compiled static (under linux with the gnu toolchain),
there are the __atexit structures behind static buffers, which can be
exploited to seize control. For further information refer to Pascal
Bouchareine explanation of the technique.


> Note: If you buffer was initialised (=> go to .data section), you could
> overwrite dtors section and exploit it.

Indeed this would be possible.


> Bye,
> OUAH

ciao,
scut :)

-- 
-. scut () nb in-berlin de -. + http://segfault.net/~scut/ `--------------------.
-' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
`- complete HTCIA database obtained, exchange as usual. hi echelon ----------'