Re: Problem exploiting a CGI overflow

[Marco Ivaldi <raptor () 0xdeadbeef info>]

Just a quick summary of the solution for those interested.

sin <sin () innocence-lost net> wrote:

> It seems like if bash is the one converting the characters, that you
> should be able to bypass the problems by changing the exploit to call
> execve() with argv/envp setup. Am I incorrect here?

It's not bash the one responsible for the chars conversion, but the 
scanf() function itself. 

sin <sin () innocence-lost net> wrote:

> As for not being able to return into envp like that, seeing as it's a
> CGI, it seems like that would depend on the method used by the
> webserver, IIRC get variables end up in the enviroment, and post
> variables come from stdin, so if it used get, it seems like you would be
> able too.

Ret-into-envp may be feasible locally, but i don't believe it would be 
possible to remotely control the envp in this case, though i've not tested 
it -- so i may be wrong.

Victor Henriquez" <vhenriquez () grancanaria com> wrote:

> You are right. I use your shellcode
> (http://www.0xdeadbeef.info/code/gets-linux.c) --removing 0x0b-- and now
> it work.
>
> But, Why do I need close stdin?

Because functions like scanf() and gets() use the fd 0 (stdin), and for 
some reason (i've not investigated this problem further after i found the 
special shellcode work-around) if you use them to trigger the buffer 
overflow you don't have control on stdin. This means that you can't 
properly execute an interactive shell without re-opening the tty, to gain 
access to all needed descriptors (0, 1, and 2) -- although other programs 
work just fine without stdin, e.g. try with /bin/ls instead of /bin/sh.

Cheers,

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707