Monday, August 23, 2010

Chapter 2, "Using an Exploit", pp 31-38

There are a couple of code examples in chapter 2 that just wouldn't work for me out of the box. Specifically, I'm referring to attack.c and ret2lib.c. Interestingly enough, the related example that falls in between, nopattack.c, seems to work without modification. My C is hackish at best, so it wasn't immediately obvious to me what the problem was. Comparing the malfunctioning examples with nopattack.c, however, it became apparent that the memory allocation line was missing. The following is the missing lines of code:

if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
This should go right after your definition of bsize (line 26 in both examples should be fine). Without this line, the app segfaults... which makes sense, in hindsight. We're trying to use heap space that we haven't allocated! Unfortunately, as todb mentioned in a previous post, the technique in attack.c doesn't seem to work, anyway. A future endeavor, perhaps.

Additionally, with reference to ret2libc attacks, there's an excellent paper by Nergal in phrack 58, titled "The advanced return-into-lib(c) exploits: PaX case study". It can be found over here. It goes into detail about techniques to chain multiple ret2libc calls together, in addition to an in-depth discussion about PaX.