Vulnerability Development mailing list archives
Re: Administrivia: List Announcement
From: "Benjamin A. Okopnik" <ben () callahans org>
Date: Tue, 13 May 2003 23:25:18 -0400
On Tue, May 13, 2003 at 01:36:24PM -0400, David Riley wrote:
On Tuesday, May 13, 2003, at 12:25 PM, Dave McKinney wrote:We'll kick this off with the first challenge, which was devised by Aaron Adams: // vulndev-1.c
[ snip ]
I'll start by saying that I like this idea... it'll give me a chance to brush up on my skills in this area. Now, the only error I see in this program is that the for() loop checks for i <= SIZE rather than i < SIZE. However, this doesn't seem to affect much... when I run the compiled program on my OS X machine with these args: ./vuln `perl -e 'print "a" x 2000'` `perl -e 'print "b" x 2000'` It exits cleanly. I imagine that it might overwrite a byte somewhere, but it's not really doing much for me.
It "works" for me on a Debian Linux box:
ben@Fenrir:/tmp$ ./vulndev-1 `perl -we'print "A" x 253'` a
Segmentation fault
Note that it does _not_ crash in the reverse case (large argv[2]),
although I'm not sure why. However, this might be indicative (pardon my
rusty-as-can-be C skills):
------------------------------------------------------------------------
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define SIZE 252
int
main(int argc, char *argv[])
{
int i, l1, l2, s1, s2;
char *p1, *p2;
char *buf1 = malloc(SIZE);
char *buf2 = malloc(SIZE);
if (argc != 3)
exit(1);
p1 = argv[1], p2 = argv[2];
strncpy(buf2, p2, SIZE);
for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
buf1[i] = p1[i];
l1 = strlen(p1);
s1 = sizeof(p1);
l2 = strlen(p2);
s2 = sizeof(p2);
free(buf1);
free(buf2);
printf("strlen1: %i sizeof1: %i\n", l1, s1);
printf("strlen2: %i sizeof2: %i\n", l2, s2);
return 0;
}
------------------------------------------------------------------------
Now, note the output of this:
ben@Fenrir:/tmp/vuln-dev$ ./tst `perl -we'print "A" x 252'` a
strlen1: 252 sizeof1: 4
strlen2: 1 sizeof2: 4
ben@Fenrir:/tmp/vuln-dev$ ./tst `perl -we'print "A" x 253'` a
Segmentation fault
ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 253'`
strlen1: 1 sizeof1: 4
strlen2: 253 sizeof2: 4
ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 300'`
strlen1: 1 sizeof1: 4
strlen2: 300 sizeof2: 4
ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 1000'`
strlen1: 1 sizeof1: 4
strlen2: 1000 sizeof2: 4
Seems like "argv[2]" is copied no matter what the "strncpy"'s SIZE is.
Hmm. Anybody have an idea?
Ben Okopnik
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The reason the government thinks you're just a number
is because it's just a machine.
Current thread:
- Administrivia: List Announcement Dave McKinney (May 13)
- Re: Administrivia: List Announcement David Riley (May 13)
- Re: Administrivia: List Announcement Benjamin A. Okopnik (May 13)
- Re: Administrivia: List Announcement Edinelson Keiji Shimokawa (May 14)
- Re: Administrivia: List Announcement Benjamin A. Okopnik (May 13)
- Re: Administrivia: List Announcement Brian Hatch (May 13)
- Re: Administrivia: List Announcement Wojciech Purczynski (May 14)
- Re: Administrivia: List Announcement Luciano Miguel Ferreira Rocha (May 14)
- vulndev-1.c challenge (was Re: Administrivia: List Announcement) Bennett Todd (May 13)
- Re: Administrivia: List Announcement Bernie Cosell (May 13)
- Re: Administrivia: List Announcement Valdis . Kletnieks (May 15)
- partial analysis of vulndev-1.c David R. Piegdon (May 13)
- Re: partial analysis of vulndev-1.c Dana Epp (May 13)
- Re: partial analysis of vulndev-1.c master of chaos - lord of mean (May 13)
(Thread continues...)
- Re: Administrivia: List Announcement David Riley (May 13)