On Tue, 29 Oct 2002 13:26:47 +0100, Federico Romeo wrote: >> How it is possible execute a malicious code on the server if I can't pass a >> particular address to __libc_free()? >> It seems that the address passed to the __libc_free() is always fixed by the >> system and it's impossible to change it by sending commands to the server. >> >> Can you, please, explain me where are my mistakes in my method? >> It's the block after the one that's being freed that gets overwritten. Something like this: Before Overflow: (@0x8086d8c)________________________XXXXXXXX_________etc... After Overflow: (@0x8086d8c)XXXXAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_______etc.... XXXXs are the heap control data, flags and pointers and such. I think the first XXXX (0x4015ad68 in your case) has been written by free() before it faults, but don't quote me on that. The typical technique is to overwrite the next block so it looks like it's free space (whether it is or not doesn't usually matter). Free() will then try to combine that space, with your newly freed space to make one big free space. In doing that it moves some pointers around and you end up being able to overwrite one address of your choosing with data of your choosing. Read some articles cos they'll explain it better than I ever could: http://www.phrack.com/show.php?p=57&a=8 http://www.phrack.com/show.php?p=57&a=9 This one isn't working right now, but it's available else where and a pretty good read I seem to remember: http://www.w00w00.org/files/articles/heaptut.txt - Blazde
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 18:11:17 PST