Re: Administrivia: List Announcement

From: Benjamin A. Okopnik (benat_private)
Date: Tue May 13 2003 - 20:25:18 PDT

  • Next message: andrewgat_private: "RE: Administrivia: List Announcement" 

    On Tue, May 13, 2003 at 01:36:24PM -0400, David Riley wrote:
> On Tuesday, May 13, 2003, at 12:25 PM, Dave McKinney wrote:
> 
> >We'll kick this off with the first challenge, which was devised by 
> >Aaron
> >Adams:
> >
> >// vulndev-1.c

[ snip ]

> I'll start by saying that I like this idea... it'll give me a chance to 
> brush up on my skills in this area.
> 
> Now, the only error I see in this program is that the for() loop checks 
> for i <= SIZE rather than i < SIZE.  However, this doesn't seem to 
> affect much... when I run the compiled program on my OS X machine with 
> these args:
> 
> ./vuln `perl -e 'print "a" x 2000'` `perl -e 'print "b" x 2000'`
> 
> It exits cleanly.  I imagine that it might overwrite a byte somewhere, 
> but it's not really doing much for me.

It "works" for me on a Debian Linux box:

ben@Fenrir:/tmp$ ./vulndev-1 `perl -we'print "A" x 253'` a
Segmentation fault

Note that it does _not_ crash in the reverse case (large argv[2]),
although I'm not sure why. However, this might be indicative (pardon my
rusty-as-can-be C skills):

------------------------------------------------------------------------
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define SIZE    252

int
main(int argc, char *argv[])
{
        int     i, l1, l2, s1, s2;
        char    *p1, *p2;
        char    *buf1 = malloc(SIZE);
        char    *buf2 = malloc(SIZE);

        if (argc != 3)
                exit(1);

        p1 = argv[1], p2 = argv[2];
        strncpy(buf2, p2, SIZE);
        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                buf1[i] = p1[i];

	l1 = strlen(p1);
	s1 = sizeof(p1);
	l2 = strlen(p2);
	s2 = sizeof(p2);

        free(buf1);
        free(buf2);

	printf("strlen1: %i sizeof1: %i\n", l1, s1);
	printf("strlen2: %i sizeof2: %i\n", l2, s2);
	
        return 0;
}

------------------------------------------------------------------------

Now, note the output of this:

ben@Fenrir:/tmp/vuln-dev$ ./tst `perl -we'print "A" x 252'` a
strlen1: 252    sizeof1: 4
strlen2: 1      sizeof2: 4
ben@Fenrir:/tmp/vuln-dev$ ./tst `perl -we'print "A" x 253'` a
Segmentation fault
ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 253'`
strlen1: 1      sizeof1: 4
strlen2: 253    sizeof2: 4
ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 300'`
strlen1: 1      sizeof1: 4
strlen2: 300    sizeof2: 4
ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 1000'`
strlen1: 1      sizeof1: 4
strlen2: 1000   sizeof2: 4


Seems like "argv[2]" is copied no matter what the "strncpy"'s SIZE is.
Hmm. Anybody have an idea?


Ben Okopnik
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The reason the government thinks you're just a number
  is because it's just a machine.

    This archive was generated by hypermail 2b30 : Tue May 13 2003 - 21:37:56 PDT