#include <stdio.h>
struct newClass {
char type;
int size;
char *data;
void (*printer)(char*);
};
void painter(char *input) {
char buf[4096];
memcpy(buf, input, sizeof(buf)<strlen(input)?sizeof(buf):strlen(input));
return;
}
void initStruct(char *input) {
struct newClass myClass;
myClass.type = *((char *)(input));
myClass.size = *((int *)(input+1));
myClass.data = ((char *)(input+5));
if (myClass.type == 1)
myClass.printer = (void *)printf;
if (myClass.type == 2)
myClass.printer = (void *)putchar;
if (myClass.type == 3)
myClass.printer = (void *)puts;
if (myClass.type > 3)
exit(1);
myClass.printer(myClass.data);
}
int main(int argc, char **argv) {
if (argc < 2)
exit(1);
painter(argv[2]);
initStruct(argv[1]);
return (0);
}
Thursday, September 24, 2009
Bamboo -> angel tongue
Here's a quickie exploitable linux program from our Fundamentals of Exploitation class. How many vulns can you find and exploit?
Subscribe to:
Post Comments (Atom)
just by looking at it I have the off-by-one on the memcpy and the format bug on printf. Anything else?
ReplyDeleteSomething else, yes.
ReplyDeletei also see the null pointer dereference at "painter(argv[2]);" because of "if (argc < 2)".
ReplyDeleteAre you guys planning on releasing the answer?
I have also found the following: if myClass.type is negative, then "myClass.printer(myClass.data);" in the assembly actually does "call eax" and we control eax because of newClass not been initialized correctly. So by exploiting the concept of non initialized variables, you can put your shellcode in buf and put the value you want in eax and thus controlling the execution flow of the program.
ReplyDelete