On Tue, May 13, 2003 at 01:36:24PM -0400, David Riley wrote: > On Tuesday, May 13, 2003, at 12:25 PM, Dave McKinney wrote: > > >We'll kick this off with the first challenge, which was devised by > >Aaron > >Adams: > > > >// vulndev-1.c [ snip ] > I'll start by saying that I like this idea... it'll give me a chance to > brush up on my skills in this area. > > Now, the only error I see in this program is that the for() loop checks > for i <= SIZE rather than i < SIZE. However, this doesn't seem to > affect much... when I run the compiled program on my OS X machine with > these args: > > ./vuln `perl -e 'print "a" x 2000'` `perl -e 'print "b" x 2000'` > > It exits cleanly. I imagine that it might overwrite a byte somewhere, > but it's not really doing much for me. It "works" for me on a Debian Linux box: ben@Fenrir:/tmp$ ./vulndev-1 `perl -we'print "A" x 253'` a Segmentation fault Note that it does _not_ crash in the reverse case (large argv[2]), although I'm not sure why. However, this might be indicative (pardon my rusty-as-can-be C skills): ------------------------------------------------------------------------ #include <stdio.h> #include <string.h> #include <stdlib.h> #define SIZE 252 int main(int argc, char *argv[]) { int i, l1, l2, s1, s2; char *p1, *p2; char *buf1 = malloc(SIZE); char *buf2 = malloc(SIZE); if (argc != 3) exit(1); p1 = argv[1], p2 = argv[2]; strncpy(buf2, p2, SIZE); for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i]; l1 = strlen(p1); s1 = sizeof(p1); l2 = strlen(p2); s2 = sizeof(p2); free(buf1); free(buf2); printf("strlen1: %i sizeof1: %i\n", l1, s1); printf("strlen2: %i sizeof2: %i\n", l2, s2); return 0; } ------------------------------------------------------------------------ Now, note the output of this: ben@Fenrir:/tmp/vuln-dev$ ./tst `perl -we'print "A" x 252'` a strlen1: 252 sizeof1: 4 strlen2: 1 sizeof2: 4 ben@Fenrir:/tmp/vuln-dev$ ./tst `perl -we'print "A" x 253'` a Segmentation fault ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 253'` strlen1: 1 sizeof1: 4 strlen2: 253 sizeof2: 4 ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 300'` strlen1: 1 sizeof1: 4 strlen2: 300 sizeof2: 4 ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 1000'` strlen1: 1 sizeof1: 4 strlen2: 1000 sizeof2: 4 Seems like "argv[2]" is copied no matter what the "strncpy"'s SIZE is. Hmm. Anybody have an idea? Ben Okopnik -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The reason the government thinks you're just a number is because it's just a machine.
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 21:37:56 PDT