RE: Administrivia: List Announcement

From: Cameron Brown (cameron_at_greyzone.com)
Date: 05/14/03

  • Next message: Jose Ronnick: "Re: vulndev1.c solution (warning SPOILER)"
    To: "'Shafik Yaghmour'" <subs@shafik.net>
    Date: Tue, 13 May 2003 16:13:50 -0700
    
    

    I think you will need to more artfully choose your particular byte 253
    to match your libc. I think the mail from nexus@patrol.i-way.co.uk is
    heading the right direction.

    -----Original Message-----
    From: Shafik Yaghmour [mailto:subs@shafik.net]
    Sent: Tuesday, May 13, 2003 3:44 PM
    To: Cameron Brown
    Cc: vuln-dev@securityfocus.com
    Subject: RE: Administrivia: List Announcement

    On Tue, 13 May 2003, Cameron Brown wrote:

    > If I supply an argv[1] of > 252 bytes, then byte 253 may (depending on

    > many factors) overwrite the first byte of buf2. This is going to be
    > (I
    > think) part of the size of the malloc'd buf2. What interesting things
    > can happen when you then free() an incorrectly-sized buf2 (or
    otherwise
    > operate on buf2 if this were a real program) is something I am anxious
    > to learn from others on this list!

            Hmmm, for me it seg faults on free(buf1). I am running on Linux
    BTW, here is some output from gdb:

    [shafik@localhost VULNDEV]$ ./a.out `perl -e 'print "A"x2000'` `perl -e
    'print "B"x2000'` Segmentation fault (core dumped) [shafik@localhost
    VULNDEV]$ gdb ./a.out ./core GNU gdb Red Hat Linux (5.2-2) Copyright
    2002 Free Software Foundation, Inc. GDB is free software, covered by the
    GNU General Public License, and you are welcome to change it and/or
    distribute copies of it under certain conditions. Type "show copying" to
    see the conditions. There is absolutely no warranty for GDB. Type "show
    warranty" for details. This GDB was configured as "i386-redhat-linux"...
    Core was generated by `./a.out
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
    .
    Program terminated with signal 11, Segmentation fault.
    Reading symbols from /lib/libc.so.6...done.
    Loaded symbols for /lib/libc.so.6
    Reading symbols from /lib/ld-linux.so.2...done.
    Loaded symbols for /lib/ld-linux.so.2
    #0 0x400aa1e6 in chunk_free (ar_ptr=0x4015bc80, p=0x8049770) at
    malloc.c:3242
    3242 malloc.c: No such file or directory.
            in malloc.c
    (gdb) up
    #1 0x400a9fc0 in __libc_free (mem=0x8049778) at malloc.c:3154
    3154 in malloc.c
    (gdb) up
    #2 0x080485b3 in main (argc=3, argv=0xbfffe9d4) at vulndev-1.c:26
    26 free(buf1);
    (gdb)

    -- 
    Those who dream by day are cognizant of many things which escape those
    who dream only by night. -Edgar Allan Poe
    

  • Next message: Jose Ronnick: "Re: vulndev1.c solution (warning SPOILER)"

    Relevant Pages

    • Re: XMMS or SCHED_ULE issue?
      ... Right after 'continue' in gdb, ... This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols ... Reading symbols from /usr/X11R6/lib/libXext.so.6...(no debugging symbols ... Loaded symbols for /usr/X11R6/lib/libXext.so.6 ...
      (freebsd-current)
    • While runsocks telnetŁ¬core dumped
      ... I checked the log and gdb the core file, ... Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols ... Loaded symbols for /usr/lib/libutil.so.3 ...
      (comp.unix.bsd.freebsd.misc)
    • BETA3 Python (Danjgo) libthr crash
      ... I get the following crash when running the Django development server (non ... GDB is free software, covered by the GNU General Public License, and you are ... Reading symbols from /lib/libutil.so.7...done. ... Loaded symbols for /lib/libutil.so.7 ...
      (freebsd-current)
    • Re: Exploiting SNMP?
      ... > GDB is free software, ... > Reading symbols from /lib/libnsl.so.1...done. ... exploits for kit ucd-snmp. ... int main(int argc, char *argv){ ...
      (Vuln-Dev)
    • Re: process hanging on 7.2-PRERELEASE
      ... GDB is free software, covered by the GNU General Public License, and you are ... There is absolutely no warranty for GDB. ... Loaded symbols for /lib/libgcc_s.so.1 ... Reading symbols from /lib/libthr.so.3...done. ...
      (freebsd-stable)