Re: Fw: wu-ftpd glob vulnerability

["Roland Postle" <mail () blazde co uk>]

On Tue, 29 Oct 2002 13:26:47 +0100, Federico Romeo wrote:

> > How it is possible execute a malicious code on the server if I can't pass a
> > particular address to  __libc_free()?
> > It seems that the address passed to the __libc_free() is always fixed by the
> > system and it's impossible to change it  by sending commands to the server.
> >
> > Can you, please,  explain me where are my mistakes in my method?

It's the block after the one that's being freed that gets overwritten.
Something like this:

Before Overflow:
(@0x8086d8c)________________________XXXXXXXX_________etc...
 After Overflow:
(@0x8086d8c)XXXXAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_______etc....

XXXXs are the heap control data, flags and pointers and such. I think
the first XXXX (0x4015ad68 in your case) has been written by free()
before it faults, but don't quote me on that.

The typical technique is to overwrite the next block so it looks like
it's free space (whether it is or not doesn't usually matter). Free()
will then try to combine that space, with your newly freed space to
make one big free space. In doing that it moves some pointers around
and you end up being able to overwrite one address of your choosing
with data of your choosing.

Read some articles cos they'll explain it better than I ever could:

http://www.phrack.com/show.php?p=57&a=8
http://www.phrack.com/show.php?p=57&a=9

This one isn't working right now, but it's available else where and a
pretty good read I seem to remember:
http://www.w00w00.org/files/articles/heaptut.txt

- Blazde