|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: overwriting .dtors using gcc 3
From: DownBload (downbload
hotmail.com)
Date: Tue Oct 07 2003 - 13:20:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <20031004015114.4815.qmailsf-www2-symnsj.securityfocus.com>
Hi,
Yes, there is a problem with exploitation of "data section" buffer overflows in newer gcc's if you want to overwrite .dtors section.
Here is example:
level16.c
---cut here---
/*
W4rCr0-21 - LEVEL XVI coded by DownBload
TIP: What about .data??? Simple...
*/
#include <stdio.h>
#include <stdlib.h>
main (int argc, char **argv)
{
static char in[256]="FUCKYOUASSHOLE!!!"; // <- this will be in .data section
system ("/usr/bin/clear");
printf ("#########################\n");
printf ("# W4rCr0-21 - LEVEL XVI #\n");
printf ("#########################\n");
printf ("- What can you do with this???\n\n");
printf ("> This wargame is c00l, isn't it???\n");
gets (in);
}
---cut here---
On older gcc, everything is ok:
# gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
# gcc level16.c -o level16
# objdump -h ./level16
.......
13 .rodata 000000e5 080484e0 080484e0 000004e0 2**5
CONTENTS, ALLOC, LOAD, READONLY, DATA
14 .data 00000120 080495e0 080495e0 000005e0 2**5
CONTENTS, ALLOC, LOAD, DATA
15 .eh_frame 00000004 08049700 08049700 00000700 2**2
CONTENTS, ALLOC, LOAD, DATA
16 .ctors 00000008 08049704 08049704 00000704 2**2
CONTENTS, ALLOC, LOAD, DATA
17 .dtors 00000008 0804970c 0804970c 0000070c 2**2
CONTENTS, ALLOC, LOAD, DATA
18 .got 00000028 08049714 08049714 00000714 2**2
CONTENTS, ALLOC, LOAD, DATA
19 .dynamic 000000a0 0804973c 0804973c 0000073c 2**2
.......
So, we have .data, .eh_frame, .ctors and .dtors section. Our variable (static char in[256]) is in .data section and it is easy to overwrite .dtors.
But in newer gcc we have problems...
#gcc -v
Reading specs from /usr/lib/gcc-lib/i386-linux/2.95.4/specs
gcc version 2.95.4 20011002 (Debian prerelease)
# gcc level16.c -o level16
# objdump -h ./level16
.....
13 .rodata 000000e5 080484e0 080484e0 000004e0 2**5
CONTENTS, ALLOC, LOAD, READONLY, DATA
14 .data 00000120 08049640 08049640 00000640 2**5
CONTENTS, ALLOC, LOAD, DATA
15 .eh_frame 00000004 08049760 08049760 00000760 2**2
CONTENTS, ALLOC, LOAD, DATA
16 .dynamic 000000c8 08049764 08049764 00000764 2**2
CONTENTS, ALLOC, LOAD, DATA
17 .ctors 00000008 0804982c 0804982c 0000082c 2**2
CONTENTS, ALLOC, LOAD, DATA
18 .dtors 00000008 08049834 08049834 00000834 2**2
CONTENTS, ALLOC, LOAD, DATA
19 .got 00000028 0804983c 0804983c 0000083c 2**2
.....
Now we see .dynamic section between .data and .dtors section. That section will be overflowed if we want to overflow .dtors, and that is not good.
.dtors technique will still work for format string bugs, wild pointers etc.
>From: <mvoropaevhotmail.com>
>To: vuln-devsecurityfocus.com
>Subject: overwriting .dtors using gcc 3
>
>
>
>Could anyone please tell why the standard technique of overwriting .dtors section (overflow) does not work with gcc3?
>
Regards,
DownBload / Illegal Instruction Labs
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]