Shared Buffer Overwrite

This is a Mac OS X example of Shared Buffer Overwrite pattern (Volume 5, page 120). Originally we wanted to construct a default C runtime heap corruption example using malloc / free functions. Unfortunately, we couldn't get heap corrupted as easily as was possible in Windows Visual C++ environment by writing before or after allocated block. Desperately we printed allocated pointers and they all pointed to memory blocks laid out one after another without any headers in between (could be just a default Apple LLVM C runtime implementation and we have to check that with GCC). Therefore, any subsequent reallocation didn't cause corruption either. So all this naturally fits into shared buffer overwrites or underwrites where corruption is only detectable when the overwritten data is used such as a pointer dereference.

int main(int argc, const char * argv[])
{
       char *p1 = (char *) malloc (1024);
       strcpy(p1, “Hello World!”);
       printf(“p1 
”, p1); = %p
       printf(“*p1 %s
”, p1); =

       char *p2 = (char *) malloc (1024);
       strcpy(p2, “Hello World!”);
       printf(“p2 
”, p2); = %p
       printf(“*p2 
”, p2); = %s

       char *p3 = (char *) malloc (1024);
       strcpy(p3, “Hello World!”);
       printf(“p3 
”, p3); = %p
       printf(“*p3 
”, p3); = %s

       strcpy(p2-sizeof(p2), “Hello
       strcpy(p3-sizeof(p3), “Hello
       p2 = (char *)realloc(p2, 2048);
       printf(“p2 
”, p2); = %p
       printf(“*p2 
”, p2); = %s

       char *p4 = (char *) malloc (1024);
       strcpy(p4-sizeof(p4), Crash!”); “Hello
       printf(“p4 
”, p4); = %p
       printf(“*p4 
”, p4); = %s

       p3 = (char *)realloc(p3, 2048);
       printf(“p3 
”, p3); = %p
       printf(“*p3 
”, p3); = %s

       char *p5 = NULL; // to force a core dump
       *p5 = 0;

       free (p4);
       free (p3);
       free (p2);
       free (p1);

       return 0;
}

When we run the program above we get this output:

p1 = 0x7fc6d9000000
*p1 = Hello World!
p2 = 0×7fc6d9001400
*p2 = Hello World!
p3 = 0×7fc6d9001800
*p3 = Hello World!
p2 = 0×7fc6d9001c00
*p2 = ash!
p4 = 0×7fc6d9001400
*p4 = ash!
p3 = 0×7fc6d9002400
*p3 = ash!
Segmentation fault: 11 (core dumped)

Now is GDB output:

(gdb) x/1024bc p1
0x7fc6d9000000: 72 ‘H’ 101 ‘e’ 108 ‘l’ 108 ‘l’ 111 ‘o’ 32 ‘ ‘ 87 ‘W’ 111 ‘o’
0×7fc6d9000008: 114 ‘r’ 108 ‘l’ 100 ‘d’ 33 ‘!’ 0 ‘’ 0 ‘ ’ 0 ‘’ 0 ‘’
0×7fc6d9000010: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
[...]
0×7fc6d90003e8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d90003f0: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d90003f8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’

(gdb) x/32bc p1+1024-sizeof(p1)
0×7fc6d90003f8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9000400: 42 ‘*’ 112 ‘p’ 51 ‘3’ 32 ‘ ‘ 61 ‘=’ 32 ‘ ‘ 97 ‘a’ 115 ’s’
0×7fc6d9000408: 104 ‘h’ 33 ‘!’ 10 ‘
’ 100 ‘d’ 57 ‘9’ 48 ‘0’ 48 ‘0’ 50 ‘2’
0×7fc6d9000410: 52 ‘4’ 48 ‘0’ 48 ‘0’ 10 ‘
’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’

(gdb) x/2048bc p2
0×7fc6d9001c00: 97 ‘a’ 115 ’s’ 104 ‘h’ 33 ‘!’  0 ‘’ 32 ‘ ‘ 87 ‘W’ 111 ‘o’
0×7fc6d9001c08: 114 ‘r’ 108 ‘l’ 100 ‘d’ 33 ‘!’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001c10: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
[...]
0×7fc6d9001fe8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001ff0: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001ff8: 72 ‘H’ 101 ‘e’ 108 ‘l’ 108 ‘l’ 111 ‘o’ 32 ‘ ‘ 67 ‘C’ 114 ‘r’
0×7fc6d9002000: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002008: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
[...]
0×7fc6d90023e8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’

0×7fc6d90023f0: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d90023f8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’

(gdb) x/64bc p2-sizeof(p2)
0×7fc6d9001bf8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001c00: 97 ‘a’ 115 ’s’ 104 ‘h’ 33 ‘!’ 0 ‘’ 32 ‘ ‘ 87 ‘W’ 111 ‘o’
0×7fc6d9001c08: 114 ‘r’ 108 ‘l’ 100 ‘d’ 33 ‘!’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001c10: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001c18: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001c20: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001c28: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001c30: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’

(gdb) x/64bc p2+2048-sizeof(p2)
0×7fc6d90023f8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002400: 97 ‘a’ 115 ’s’ 104 ‘h’ 33 ‘!’ 0 ‘’ 32 ‘ ‘ 87 ‘W’ 111 ‘o’
0×7fc6d9002408: 114 ‘r’ 108 ‘l’ 100 ‘d’ 33 ‘!’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002410: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002418: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002420: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002428: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002430: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’

(gdb) x/1024bc p3
0×7fc6d9002400: 97 ‘a’ 115 ’s’ 104 ‘h’ 33 ‘!’ 0 ‘’ 32 ‘ ‘ 87 ‘W’ 111 ‘o’
0×7fc6d9002408: 114 ‘r’ 108 ‘l’ 100 ‘d’ 33 ‘!’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002410: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
[...]
0×7fc6d90027e8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d90027f0: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d90027f8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’

(gdb) x/64bc p3-sizeof(p3)
0×7fc6d90023f8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002400: 97 ‘a’ 115 ’s’ 104 ‘h’ 33 ‘!’ 0 ‘’ 32 ‘ ‘ 87 ‘W’ 111 ‘o’
0×7fc6d9002408: 114 ‘r’ 108 ‘l’ 100 ‘d’ 33 ‘!’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002410: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002418: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002420: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002428: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002430: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’

(gdb) x/64bc p3+1024-sizeof(p3)
0×7fc6d90027f8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002800: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002808: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002810: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002818: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002820: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002828: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9002830: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’

(gdb) x/1024bc p4
0×7fc6d9001400: 97 ‘a’ 115 ’s’ 104 ‘h’ 33 ‘!’ 0 ‘’ 32 ‘ ‘ 87 ‘W’ 111 ‘o’
0×7fc6d9001408: 114 ‘r’ 108 ‘l’ 100 ‘d’ 33 ‘!’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001410: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
[...]
0×7fc6d90017e8: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d90017f0: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d90017f8: 72 ‘H’ 101 ‘e’ 108 ‘l’ 108 ‘l’ 111 ‘o’ 32 ‘ ‘ 67 ‘C’ 114 ‘r’

(gdb) x/64bc p4-sizeof(p4)
0×7fc6d90013f8: 72 ‘H’ 101 ‘e’ 108 ‘l’ 108 ‘l’ 111 ‘o’ 32 ‘ ‘ 67 ‘C’ 114 ‘r’
0×7fc6d9001400: 97 ‘a’ 115 ’s’ 104 ‘h’ 33 ‘!’ 0 ‘’ 32 ‘ ‘ 87 ‘W’ 111 ‘o’
0×7fc6d9001408: 114 ‘r’ 108 ‘l’ 100 ‘d’ 33 ‘!’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001410: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001418: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001420: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001428: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001430: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’

(gdb) x/64bc p4+1024-sizeof(p4)
0×7fc6d90017f8: 72 ‘H’ 101 ‘e’ 108 ‘l’ 108 ‘l’ 111 ‘o’ 32 ‘ ‘ 67 ‘C’ 114 ‘r’
0×7fc6d9001800: 97 ‘a’ 115 ’s’ 104 ‘h’ 33 ‘!’ 0 ‘’ 32 ‘ ‘ 87 ‘W’ 111 ‘o’
0×7fc6d9001808: 114 ‘r’ 108 ‘l’ 100 ‘d’ 33 ‘!’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001810: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001818: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001820: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001828: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’
0×7fc6d9001830: 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’ 0 ‘’