hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
datapimp
Dec 2 2003, 03:30 AM
/*
I found this challenge on a web sight, Thought it might be fun to do it here.
Try to exploit this without using any shellcode.
Assume a nonexecutable stack.
Get a root shell.

*/


void clearmem(char **target)
{
int i;
for(i = 0; target[i] != 0; i++)
memset(target[i], 0, strlen(target[i]));
}

void func(char *src)
{
char buffer[56];
strcpy(buffer, src);
}

int main(int argc, char *argv[], char *envp[])
{
char buffer[100];
char *data, *loc;
long *location;
int buf_len;

if(argc == 1) exit(0);

data = (char *) malloc(20);
loc = data + 16;
*((long *)loc) = (long)message;
location = (long *) loc;

if(argc > 2)
loc = argv[2];
else
loc = 0;

if(strlen(argv[1]) > 38)
if(((unsigned char) argv[1][33] != 0xff) ||
((unsigned char) argv[1][34] != 0xbf)) exit(1);

bzero(buffer, 100);
buf_len = strlen((char *)*location) + strlen(argv[1]);
strncat(buffer, (char *)*location, strlen((char *)*location));
strncat(buffer, argv[1], strlen(argv[1]));
buffer[buf_len] = 0;

if(loc)
{
if(strlen(loc) > 15) exit(1);
if(strlen(loc) < 14)
{
if(loc[14] == 0)
memcpy(data, loc, 17);
else
strcpy(data, loc);
}
}

buf_len = strlen((char *)*location) + strlen(argv[1]);
printf("%s (%d)\n", buffer, buf_len);

clearmem(envp);
clearmem(argv);
bzero(0xbfffff00, 250);

if(buf_len < 56)
func(buffer);
}
Yellow_Blue
Dec 2 2003, 02:31 PM

you need to complaid it
coder
Dec 2 2003, 04:27 PM
QUOTE (Yellow_Blue @ Dec 2 2003, 02:31 PM)
you need to complaid it

i don't think you need to compile it to find an exploit?

I'd guess that a few functions used in the code are somewhat vulnerable if not checked properly... stuff like

{0x1, "gets"}, {0x1, "fgets"}, {0x1, "strcpy"},
{0x1, "strcat"}, {0x1, "setenv"}, {0x1, "getenv"},
{0x1, "scanf"}, {0x1, "sscanf"}, {0x1, "fscanf"},
{0x2, "sprintf"}, {0x2, "fprintf"}, {0x2, "snprintf"},
{0x2, "syslog"}, {0x2, "system"}, {0x2, "popen"},
{0x2, "vsprintf"}, {0x2, "vsnprintf"},

You can find many Source Code Analyzers from places like packetstorm... again, I'm not very much of a C programmer sad.gif and do not know enough about the language to actually analyze it myself for weaknesses.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.