开发者

heap overflow - segmentation fault problem

开发者 https://www.devze.com 2023-02-12 05:56 出处:网络
Hi I have the following program: int main(int argc, char **argv) { char *buf1 = (char*)malloc(1024); char *buf2 = (char*)malloc(1024);
相关专题:debugging

Hi I have the following program:

int main(int argc, char **argv) {
  char *buf1 = (char*)malloc(1024);
  char *buf2 = (char*)malloc(1024);

  printf("buf1 = %p ; buf2 = %p\n", buf1, buf2);
  strcpy(buf1, argv[1]);
  free(buf2);

}

the input is:

0000000: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000010: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000020: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000030: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000040: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000050: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000060: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000070: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000080: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000090: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00000a0: 4141414开发者_开发百科1 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00000b0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00000c0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00000d0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00000e0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00000f0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000100: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000110: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000120: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000130: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000140: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000150: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000160: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000170: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000180: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000190: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00001a0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00001b0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00001c0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00001d0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00001e0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00001f0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000200: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000210: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000220: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000230: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000240: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000250: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000260: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000270: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000280: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000290: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00002a0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00002b0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00002c0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00002d0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00002e0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00002f0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000300: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000310: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000320: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000330: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000340: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000350: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000360: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000370: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000380: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0000390: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00003a0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00003b0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00003c0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00003d0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00003e0: 41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00003f0: 41414141 ffffffff 42424242 42424242  AAAA....BBBBBBBB
0000400: f8ffffff f0ffffff ffffffff ffffffff  ................
0000410: fc9f0408 aab00408

the: - 0x804b0aa: the address of the shellcode (which isn't there yet, but if it is there it doesn't work either) - 0x8049ffc: the free - 0xc address (free function is at: 0804a008) - 0x804b008: pointer to data of the first buffer - 0x804b410: pointer to data of the second buffer

Whenever I run the program I get:

buf1 = 0x804b008 ; buf2 = 0x804b410
*** glibc detected *** ./vuln: free(): invalid pointer: 0x0804b410 ***
======= Backtrace: =========
/lib/libc.so.6(+0x6c501)[0x19b501]
/lib/libc.so.6(cfree+0xd6)[0x19fec6]
./vuln[0x80484b4]
/lib/libc.so.6(__libc_start_main+0xe7)[0x145ce7]
./vuln[0x80483c1]
======= Memory map: ========
00110000-0012c000 r-xp 00000000 08:01 268227     /lib/ld-2.12.1.so
0012c000-0012d000 r--p 0001b000 08:01 268227     /lib/ld-2.12.1.so
0012d000-0012e000 rw-p 0001c000 08:01 268227     /lib/ld-2.12.1.so
0012e000-0012f000 r-xp 00000000 00:00 0          [vdso]
0012f000-00286000 r-xp 00000000 08:01 268245     /lib/libc-2.12.1.so
00286000-00288000 r--p 00157000 08:01 268245     /lib/libc-2.12.1.so
00288000-00289000 rw-p 00159000 08:01 268245     /lib/libc-2.12.1.so
00289000-0028c000 rw-p 00000000 00:00 0
0028c000-002a6000 r-xp 00000000 08:01 261718     /lib/libgcc_s.so.1
002a6000-002a7000 r--p 00019000 08:01 261718     /lib/libgcc_s.so.1
002a7000-002a8000 rw-p 0001a000 08:01 261718     /lib/libgcc_s.so.1
08048000-08049000 r-xp 00000000 08:01 149954     /home/eleanor/testing/heap/vuln
08049000-0804a000 r--p 00000000 08:01 149954     /home/eleanor/testing/heap/vuln
0804a000-0804b000 rw-p 00001000 08:01 149954     /home/eleanor/testing/heap/vuln
0804b000-0806c000 rw-p 00000000 00:00 0          [heap]
b7fec000-b7fed000 rw-p 00000000 00:00 0
b7ffd000-b8000000 rw-p 00000000 00:00 0
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]
Aborted (core dumped)

which worries me, because the values on the heap are correct. Is it possible that linux malloc/free have changes so this isn't possible anymore. If yes, how can I make it possible for learning purposes? If no, what seem to be the problem then, so it doesn't work?

Whenever you're trying to learn about overflow exploitations remember to disable ASLR and Canaries:

root@mfsec # echo 0 > /proc/sys/kernel/randomize_va_space

root@mfsec # gcc vuln.c -o vuln -fno-stack-protector

That should do the trick, remember to enable ASLR again if you're not going to reboot anytime soon ;)

0

上一篇:

:下一篇

更多 问答 相关资讯:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

关注公众号

热门标签

图文推荐

Delphi - Custom drawing a message list

Delphi - Custom drawing a message list
C++ header-only include pattern

C++ header-only include pattern
IE7 Margin Collapses Into Padding

IE7 Margin Collapses Into Padding
in CoffeeScript, how can I use a variable as a key in a hash?

in CoffeeScript, how can I use a variable as a key in a hash?
Interactive visualization of a graph in python [closed]

Interactive visualization of a graph in python [closed]
How to customise PHP MYSQL tables?

How to customise PHP MYSQL tables?
High quality, simple random password generator

High quality, simple random password generator
Image Recognition ApI in android

Image Recognition ApI in android

开发者开发者网给大家分享系统运维,大数据运维,云计算,编程开发技巧,路由交换,运维和开发相关的资讯及技术文章,同时StackOverflow中文社区,知识经验交流分享。

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,如存在版权或非法内容,欢迎举报,我们将尽快予以删除。邮箱:devze@qq.com

Copyright © 2018-2020 开发者. All rights reserved. Powered by 开发者ICP备案号: 京ICP备10032868号-9