Vulnerability Development mailing list archives
RE: Administrivia: List Announcement
From: "Cameron Brown" <cameron () greyzone com>
Date: Tue, 13 May 2003 16:13:50 -0700
I think you will need to more artfully choose your particular byte 253 to match your libc. I think the mail from nexus () patrol i-way co uk is heading the right direction. -----Original Message----- From: Shafik Yaghmour [mailto:subs () shafik net] Sent: Tuesday, May 13, 2003 3:44 PM To: Cameron Brown Cc: vuln-dev () securityfocus com Subject: RE: Administrivia: List Announcement On Tue, 13 May 2003, Cameron Brown wrote:
If I supply an argv[1] of > 252 bytes, then byte 253 may (depending on
many factors) overwrite the first byte of buf2. This is going to be (I think) part of the size of the malloc'd buf2. What interesting things can happen when you then free() an incorrectly-sized buf2 (or
otherwise
operate on buf2 if this were a real program) is something I am anxious to learn from others on this list!
Hmmm, for me it seg faults on free(buf1). I am running on Linux BTW, here is some output from gdb: [shafik@localhost VULNDEV]$ ./a.out `perl -e 'print "A"x2000'` `perl -e 'print "B"x2000'` Segmentation fault (core dumped) [shafik@localhost VULNDEV]$ gdb ./a.out ./core GNU gdb Red Hat Linux (5.2-2) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... Core was generated by `./a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' . Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x400aa1e6 in chunk_free (ar_ptr=0x4015bc80, p=0x8049770) at malloc.c:3242 3242 malloc.c: No such file or directory. in malloc.c (gdb) up #1 0x400a9fc0 in __libc_free (mem=0x8049778) at malloc.c:3154 3154 in malloc.c (gdb) up #2 0x080485b3 in main (argc=3, argv=0xbfffe9d4) at vulndev-1.c:26 26 free(buf1); (gdb) -- Those who dream by day are cognizant of many things which escape those who dream only by night. -Edgar Allan Poe
Current thread:
- Re: Administrivia: List Announcement, (continued)
- Re: Administrivia: List Announcement Valdis . Kletnieks (May 15)
- partial analysis of vulndev-1.c David R. Piegdon (May 13)
- Re: partial analysis of vulndev-1.c Dana Epp (May 13)
- Re: partial analysis of vulndev-1.c master of chaos - lord of mean (May 13)
- RE: partial analysis of vulndev-1.c David Schwartz (May 13)
- Re: partial analysis of vulndev-1.c Nexus (May 14)
- Re: partial analysis of vulndev-1.c andrewg (May 13)
- Re: Administrivia: List Announcement Mr. Rufus Faloofus (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement andrewg (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- Re: vulndev1.c solution (warning SPOILER) Jose Ronnick (May 13)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 14)
- Re: vulndev1.c solution (warning SPOILER) Jon Erickson (May 14)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 15)
- Re: vulndev1.c solution (warning SPOILER) Kenji Cronos (May 15)
- Re: vulndev-1 exploit. Joel Eriksson (May 14)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)