Thursday, September 24, 2009

Bamboo -> angel tongue

Here's a quickie exploitable linux program from our Fundamentals of Exploitation class. How many vulns can you find and exploit?

#include <stdio.h>

struct newClass {
char type;
int size;
char *data;
void (*printer)(char*);
};

void painter(char *input) {
char buf[4096];

memcpy(buf, input, sizeof(buf)<strlen(input)?sizeof(buf):strlen(input));
return;
}

void initStruct(char *input) {
struct newClass myClass;

myClass.type = *((char *)(input));
myClass.size = *((int *)(input+1));
myClass.data = ((char *)(input+5));

if (myClass.type == 1)
myClass.printer = (void *)printf;
if (myClass.type == 2)
myClass.printer = (void *)putchar;
if (myClass.type == 3)
myClass.printer = (void *)puts;
if (myClass.type > 3)
exit(1);

myClass.printer(myClass.data);
}

int main(int argc, char **argv) {
if (argc < 2)
exit(1);
painter(argv[2]);
initStruct(argv[1]);

return (0);
}

4 comments:

  1. just by looking at it I have the off-by-one on the memcpy and the format bug on printf. Anything else?

    ReplyDelete
  2. i also see the null pointer dereference at "painter(argv[2]);" because of "if (argc < 2)".

    Are you guys planning on releasing the answer?

    ReplyDelete
  3. I have also found the following: if myClass.type is negative, then "myClass.printer(myClass.data);" in the assembly actually does "call eax" and we control eax because of newClass not been initialized correctly. So by exploiting the concept of non initialized variables, you can put your shellcode in buf and put the value you want in eax and thus controlling the execution flow of the program.

    ReplyDelete

Post a Comment