Hosting Provided By

Re: Administrivia: List Announcement

From: Nexus <nexus(at)patrol.i-way.co.uk>
Date: Tue May 13 2003 - 17:24:14 EDT

Original Message ----- From: "xenophi1e" <oliver.lavery@sympatico.ca>

[snip]

> Off-by-one. Third arg should be SIZE-1 to leave room for the terminating
> NULL. This error should lead to a heap based vulnerability when the
> memory is free()d.

To take it one stage further, assuming the sample program is called buggy.c: (Using linux as debugging on win32 is not email friendly ;-)

[nexus@wulfgar insecure]$ gcc buggy.c -g -o buggy [nexus@wulfgar insecure]$ ./buggy `perl -e 'print "A"x253;print " ";print "BBBBCCCC";'`
Segmentation fault (core dumped)

One byte over the buffer size of 252 for the first arg, so we get an exception - looking at what happened:

[nexus@wulfgar insecure]$ gdb buggy core.966 GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... Core was generated by `./buggy

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.

Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/i686/libc.so.6...done. Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2
#0 0x42074033 in _int_free () from /lib/i686/libc.so.6

There's the exception in free() as mentioned by xenophi1e, do we have any registers at all ?

Do you need help?

(gdb) info reg

eax            0x43434343       1128481603
ecx            0x42424242       1111638594
edx            0x140    320
ebx            0x4212a2d0       1108517584
esp            0xbffff980       0xbffff980
ebp            0xbffff9a8       0xbffff9a8
esi            0x80495f0        134518256
edi            0x100    256
eip            0x42074033       0x42074033

[...]

Yup - the second arg is overwriting eax and ecx on this x86 RH8 system, thus we can write arbitrary data into 2 registers. What can we do next ?

Cheers. Received on Tue May 13 18:32:04 2003

This message: [ Message body ]
Next message: Wynn Fenwick: "Re: Administrivia: List Announcement"
Previous message: Thiago Canozzo Lahr: "Re: Administrivia: List Announcement"
In reply to: xenophi1e: "Re: Administrivia: List Announcement"
Next in thread: David Riley: "Re: Administrivia: List Announcement"
Reply: Thiago Canozzo Lahr: "Re: Administrivia: List Announcement"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT