Is this an off-by-one overflow?

To Moderator: Is this enough info?

Hello!

I have found that a command line agrument to a program i use daily, can be used to overflow a function inside the program.

Unfortunately I cannot reveal what program it is, because of that I'm employed by the company that makes this program. And it might be sensitive to submit this info to an open channel such as this before I have evaluated the problem.

Is there any way to exploit this to execute my own shellcode? This is how I overflow the program:

[exce@101 exce]$ gdb /usr/bin/vulnprogram GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) set args `perl -e 'print "A" x 4112'`
(gdb) run

  ......no debugging symbols found bla bla.....

Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 8047)]
0x0804ea80 in VulnFunction () <---- Modified function name :P

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

(gdb) info reg

eax            0x41414141       1094795585  <---- Overwriten with A's
ecx            0x8062088        134619272
edx            0x8      8
ebx            0x4213030c       1108542220
esp            0xbfffb9b0       0xbfffb9b0
ebp            0xbfffdabc       0xbfffdabc
esi            0x40013020       1073819680
edi            0xbfffeb54       -1073747116
eip            0x804ea80        0x804ea80
eflags         0x10283  66179
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x7      7
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x23     35
fioff          0x8052d06        134556934
foseg          0x2b     43
fooff          0xbfffda54       -1073751468

There is no difference in this reg output if I increase the overflow string. So most probably it is some kind of a loop gone wrong. This is the only command line parameter this program takes.

As I said, what I want to know is if this is exploitable, and if it is, how do I exploit it.

Feel free to point me to some interesting websites that has information on this subject.

/Daniel Nyström Received on Wed Feb 19 11:06:33 2003