05b# whoami
root
sh-2.05b# id -u
0
sh-2.05b# exit
exit
$
Success! Relax, you earned it.
There are many other useful locations to overwrite, for example:
??? Global offset table
??? Global function pointers
??? atexit handlers
??? Stack values
??? Program-specific authentication variables
and many more; see ???References??? for more ideas.
References
Blaess, Grenier, and Raynal, ???Secure Programming, Part 4???
www.cgsecurity.org/Articles/SecProg/Art4/
DangerDuo, ???When Code Goes Wrong??? www.hackinthebox.org/article.php?sid=7949
Juan M. Bello Rivas, ???Overwriting the .dtors Section??? www.cash.sopot.kill.pl/bufer/dtors.txt
Team Teso explanation www.csl.mtu.edu/cs4471/www/Supplements/formats-teso.pdf
Jon Erickson, Hacking: The Art of Exploitation (San Francisco: No Starch Press, 2003)
Koziol et al., The Shellcoder??™s Handbook (Indianapolis: Wiley Publishing, 2004)
Hoglund and McGraw, Exploiting Software: How to Break Code (Boston: Addison-Wesley, 2004).
Heap Overflow Exploits
As you recall from Chapter 6, the heap is an area of process memory that is allocated
dynamically by request of the application. This is a key difference from other areas of
memory, which are allocated by the kernel. On most systems, the heap grows from lower
memory to higher memory, and is comprised of free and allocated chunks of contiguous
memory as illustrated in Figure 8-2.
Pages:
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360