Padocon
int __cdecl sub_80486A1() { void *v0; // ebx@1 unsigned int v1; // edx@4 void *v2; // edi@4 int v3; // edi@8 char v5; // [sp+1Ch] [bp-14h]@4 v0 = malloc(0xC8u); if ( !v0 ) { puts("malloc fail!!!"); fflush(stdout); exit(1); } printf("input: "); fflush(stdout); fgets((char *)v0, 200, stdin); strcpy(&v5, (const char *)v0); v2 = v0; v1 = 200; if ( (_BYTE)v0 & 1 ) { *(_BYTE *)v0 = 0; v2 = (char *)v0 + 1; LOBYTE(v1) = -57; } if ( (_BYTE)v2 & 2 ) { *(_WORD *)v2 = 0; v2 = (char *)v2 + 2;
[karma100@localhost ~]$ cat attackme.c #include <unistd.h> #include <stdio.h> /* hi, guys! */ /* This is just warm up :) */ int main( int argc, char *argv[] ) { char buf[1024]; fgets( buf, 1024, stdin ); printf( buf ); return 0; }
Karma100 is on FC14, non-executable randomly allocated stack&heap, ASLR turned off for libc area.
It looks that it has format string vulnerability, and it uses stack to store the buffer -- it makes us to exploit what we typed as argument of printf.
int __cdecl sub_8048771(int a1, int a2) { void *v2; // edx@2 signed int v3; // ebx@2 int v4; // ebx@10 __int16 v5; // ax@13 signed __int16 v7; // [sp+1Ch] [bp-24h]@13 __int16 v8; // [sp+1Eh] [bp-22h]@13 in_addr_t v9; // [sp+20h] [bp-20h]@13 char v10; // [sp+24h] [bp-1Ch]@13 char v11; // [sp+2Ch] [bp-14h]@16 if ( a1 != 3 ) { printf("%s [your IP] [Port]\n", *(_DWORD *)a2); exit(1); } v2 = *(void **)environ; v3 = 4; if ( *(_DWORD *)environ ) { do { memset(v2, 0, strlen((const char *)v2) - 1);
#include <stdio.h> #include <string.h> int main(int argc,char **argv) { char buf[8]; if(argc != 2) { printf("%s inputstring\n",argv[0]); return 0; } strcpy(buf,argv[1]); memset(buf,0,sizeof(buf)); sleep(10); return 0; }
Goe100 is on Fedora Core 14, amd64, ASLR is off-ed for libc area, randomly allocated non-executable stack and heap area.
And, it is buffer overflow. Restrictions are 40-bit libc address with 3 null bytes and 10 seconds of sleep.
© 2010-2011 disekt - Hosted by inetric. Drupal theme by Kiwi Themes.