/* abo2.c *
* specially crafted to feed your brain by gera@core-sdi.com */
/* This is a tricky example to make you think *
* and give you some help on the next one */
int main(int argv,char **argc) {
char buf[256];
strcpy(buf,argc[1]);
exit(1);
}
I don't know how to exploit this one.
Overwriting main's saved return address with an address won't get us anywhere because exit() never returns to main--implying main never returns.
The following from exit(1) gave me some hope:
1. Call the functions registered with the atexit(3) function, in
the reverse order of their registration.
and I learned a lot about how this is implemented by reading
Pascal Bouchareine's "__atexit in memory bugs"
but in abo2, we can never get near the __exit_funcs structure to overwrite it
$ cat locs.c
#include <stdio.h>
#include <stdlib.h>
extern void * __exit_funcs;
int main(void)
{
static char scbuf[128];
char *mabuf;
char sbuf[128];
mabuf = (char *) malloc(128);
printf("__exit_funcs at %p\n", __exit_funcs);
printf("malloced at %p\n", mabuf);
printf("static at %p\n", scbuf);
printf("stack at %p\n", sbuf);
return 0;
}
$ gcc locs.c -o locs -static
$ ./locs
__exit_funcs at 0x80b7a60
malloced at 0x80b92e8
static at 0x80b7460
stack at 0xbffff310
The other idea I got from Gray Hat Hacking and also Juan M. Bello Rivas's "Overwriting the .dtors section" was to poke at .dtors, but ran into the same issue as above: can't get near the data to overwrite it:
$ objdump -h abo2
...
16 .dtors 00000008 08049530 08049530 00000530 2**2
CONTENTS, ALLOC, LOAD, DATA
$ objdump -s -j .dtors abo2
abo2: file format elf32-i386
Contents of section .dtors:
8049530 ffffffff 00000000
* specially crafted to feed your brain by gera@core-sdi.com */
/* This is a tricky example to make you think *
* and give you some help on the next one */
int main(int argv,char **argc) {
char buf[256];
strcpy(buf,argc[1]);
exit(1);
}
I don't know how to exploit this one.
Overwriting main's saved return address with an address won't get us anywhere because exit() never returns to main--implying main never returns.
The following from exit(1) gave me some hope:
1. Call the functions registered with the atexit(3) function, in
the reverse order of their registration.
and I learned a lot about how this is implemented by reading
Pascal Bouchareine's "__atexit in memory bugs"
but in abo2, we can never get near the __exit_funcs structure to overwrite it
$ cat locs.c
#include <stdio.h>
#include <stdlib.h>
extern void * __exit_funcs;
int main(void)
{
static char scbuf[128];
char *mabuf;
char sbuf[128];
mabuf = (char *) malloc(128);
printf("__exit_funcs at %p\n", __exit_funcs);
printf("malloced at %p\n", mabuf);
printf("static at %p\n", scbuf);
printf("stack at %p\n", sbuf);
return 0;
}
$ gcc locs.c -o locs -static
$ ./locs
__exit_funcs at 0x80b7a60
malloced at 0x80b92e8
static at 0x80b7460
stack at 0xbffff310
The other idea I got from Gray Hat Hacking and also Juan M. Bello Rivas's "Overwriting the .dtors section" was to poke at .dtors, but ran into the same issue as above: can't get near the data to overwrite it:
$ objdump -h abo2
...
16 .dtors 00000008 08049530 08049530 00000530 2**2
CONTENTS, ALLOC, LOAD, DATA
$ objdump -s -j .dtors abo2
abo2: file format elf32-i386
Contents of section .dtors:
8049530 ffffffff 00000000
No comments:
Post a Comment