|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: heap overflows
sigsegv
ureach.com
Date: Thu Feb 26 2004 - 23:37:28 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <20040227015333.879B633C18sig11.zemos.net>
>Received: (qmail 6295 invoked from network); 27 Feb 2004 01:26:42 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
> by mail.securityfocus.com with SMTP; 27 Feb 2004 01:26:42 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 330B490010; Thu, 26 Feb 2004 13:59:43 -0700 (MST)
>Mailing-List: contact vuln-dev-helpsecurityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <vuln-dev.list-id.securityfocus.com>
>List-Post: <mailto:vuln-devsecurityfocus.com>
>List-Help: <mailto:vuln-dev-helpsecurityfocus.com>
>List-Unsubscribe: <mailto:vuln-dev-unsubscribesecurityfocus.com>
>List-Subscribe: <mailto:vuln-dev-subscribesecurityfocus.com>
>Delivered-To: mailing list vuln-devsecurityfocus.com
>Delivered-To: moderator for vuln-devsecurityfocus.com
>Received: (qmail 23695 invoked from network); 26 Feb 2004 19:43:24 -0000
>Date: Thu, 26 Feb 2004 17:53:33 -0000
>From: "Vlad902" <vladsig11.zemos.net>
>To: vuln-devsecurityfocus.com
>Cc: sigsegvureach.com
>Reply-To: "Vlad902" <vladsig11.zemos.net>
>Subject: Re: heap overflows
>X-Priority: 3
>X-Mailer: UebiMiau 2.7.2
>X-Original-IP: 66.133.243.186
>Content-Transfer-Encoding: 8bit
>X-MSMail-Priority: Medium
>Importance: Medium
>Content-Type: text/plain; charset="iso-8859-1";
>MIME-Version: 1.0
>Message-Id: <20040227015333.879B633C18sig11.zemos.net>
>
>> printf("copied");
>> free(malloced_buffer1);
>> free(malloced_buffer2);
>
>This part of the code is incorrect, you're depending
>on the first chunk to hold your shellcode, and you
>are freeing it before you overwrite the GOT with the
>free(malloced_buffer2);. Also you don't a printf();
>statement after the free(malloced_buffer2); so it
>never returns to the shellcode (if it was there)! I
>recommend you remove the free(malloced_buffer1); and
>instead of messing with the GOT instead instead just
>overwrite __DTOR_END__ and be lazy :)
>
>
>You may also just for debugging purposes add a
>"xccxcc" instead of "xebx0c", which will make
>it a trace/breakpoint trap, so that if it ever
>hits it, your program will stop with a
>trace/breakpoint trap and will core dump, so you
>know it is hitting the shellcode.
>
>
oops...i think i mistyped something in this email. Here is how i actually had it:
...
strcpy(malloced_buffer1,argv[1]);
free(malloced_buffer1);
printf("something inconsequential");
free(malloced_buffer2);
/* end of main */
As u rightly said, i placed the printf between the two free's so that the first free would allow me to overwrite the GOT of the following printf.
Things did work still....does gcc3 or the version of glibc i'm using has any heap protections in place?
thanks for ur reply --sigsegv.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]