I’m training on heap overflow exploit on my backtrack 5 laptop. However, backtrack seems to have a protection against these attacks. Here is what I get when i try to corrupt meta data of malloc’s allocated chunks.
Starting program: /root/exploit/basicheap `python -c 'print "A"*1024+"\xff\xff\xff\xff"+"\x01\x02\x03\x04"'`
buf1=0x804b008 buf2=0x804b410
*** glibc detected *** /root/exploit/basicheap: double free or corruption (out): 0x0804b410 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(+0x6b591)[0xb7edf591]
/lib/tls/i686/cmov/libc.so.6(+0x6cde8)[0xb7ee0de8]
/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0xb7ee3ecd]
/root/exploit/basicheap[0x80484ee]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7e8abd6]
/root/exploit/basicheap[0x80483f1]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:01 13377588 /root/exploit/basicheap
08049000-0804a000 r--p 00000000 08:01 13377588 /root/exploit/basicheap
0804a000-0804b000 rw-p 00001000 08:01 13377588 /root/exploit/basicheap
0804b000-0806c000 rw-p 00000000 00:00 0 [heap]
(ETC...)
Program received signal SIGABRT, Aborted.
0xb7fe2430 in __kernel_vsyscall ()
Is there a way to disable this protection? Is it handled by the kernel or set by gcc during compilation (i was hoping i could disable it with an option like -fno-stack-protector to remove stack overflow protection in gcc)?
The message is coming from glibc’s implementation of
free, which detects the heap corruption. It isn’t a compile-time option in your program, and it isn’t a kernel check.Try:
The
malloc(3)man page for glibc says that with that environment variable set to 0, “any detected heap corruption is silently ignored”, so it may just ignore your heap corruption and continue running, but it might successfully crash instead.Also see the
M_CHECK_ACTIONoption ofmallopt(3), which provides more detail on this checking code.