-1

I have this piece of code that I need to modify to demonstrate integer overflow vulnerability. I have never done it before and need a head start.

#include <stdio.h>

int myprintf(char* argv){
    printf("%s\n", argv);
    return 0;
}

int myprintf2(char* argv){
    printf("hello world\n");
    return 0;
}

int main(int argc, char** argv){
    struct foodata{
        int (*fptr)(char*);
        int buf[4];
    } foo;
    foo.buf[0] = 0xdeadbeef;
    foo.fptr = myprintf;
    foo.buf[0xffffffff] = myprintf2;
    foo.fptr(argv[1]);
    return 0;
}
Andrew Marshall
  • 95,083
  • 20
  • 220
  • 214
Panchi Sharma
  • 13
  • 2
  • 1
    You mean buffer overflow? Integer overflow is not very dangerous. – John Dvorak Dec 08 '12 at 17:41
  • See this for reference: [Buffer Overflow Attack](http://stackoverflow.com/questions/7344226/buffer-overflow-attack) – Mysticial Dec 08 '12 at 17:43
  • 4
    @Jan Dvorak: I beg to differ :) See: http://www.ima.umn.edu/~arnold/disasters/ariane.html – dst2 Dec 08 '12 at 17:55
  • @dtidmarsh update: Integer overflow is not very dangerous unless you're controlling a multimillion device :-) – John Dvorak Dec 08 '12 at 18:07
  • @JanDvorak: Integer overflow was responsible for the "ping of death" back in the day. – Dietrich Epp Dec 08 '12 at 18:40
  • @JanDvorak - Integer overflows have been used to do privilege escalation exploits. – user93353 Dec 08 '12 at 18:41
  • You should explain more what you're asking for. It might be what zch wrote but that's not clear from the question. – Per Johansson Dec 08 '12 at 19:06
  • In my assignment, the instruction said that we have to demonstrate integer overflow by changing some of the things in the above given code. I don't know what to change to generate the overflow. It's an introductory class and they gave us these questions about writing exploits to show different vulnerabilities of the c code. – Panchi Sharma Dec 09 '12 at 15:55

1 Answers1

1

Ok. So your code, at least on some 32-bit platforms, does print hello world\n and not the argument from the user. We have changed the function pointer by manipulating other array. Now we want to use it for malicious purpose.

First thing - we replace myprintf2 with something dangerous, when called without some checking, like:

void set_authorized(void) {
    authorized = 1;
}

Now, we need to have to get some input from user. For example we will read four numbers and use their sum as index to buf, when the input seems valid.

int a, b, c, d;
do {
    scanf("%d%d%d%d", &a, &b, &c, &d);
} while (a < 0 || b < 0 || c < 0 || a + b + c > 4);
buf[a+b+c] = d;

Looks like we could never write outside the array, right? No, the attacker can use data 

a = INT_MAX;
b = 1;
c = INT_MAX;
d = (int)set_authorized

INT_MAX + 1 + INT_MAX = INT_MIN + INT_MAX = -1 (0xffffffff). So we basically have behavior like in your example, but this time it grants unprivileged user some rights.

Note: To have this example working on 64-bit platform replace int buf[4]; with long buf[4] and 0xffffffff with 0xffffffffffffffff.

zch
  • 14,931
  • 2
  • 41
  • 49