-1

hi guys i need some help with this code. i want to know if there is any buffer overflow in this code. basically this is an exercise for my university. we need to exploit it to open a shell. until now we have studied buffer overflows and format strings on linux debian 32 bit. We usually solve the exercises by putting to 0 the value of randomization_va_space and by putting this shellcode

shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

as an environmental variable and send it to the vulnerable-program to exploit it. so I guess there is no need to use the format strings here but i don't know how can I use the shellcode or any other technique to open a shell. thank you very much :)

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

int main(int argc, char *argv[])
{
  char filename[256];
  char useless[35];
  long max;
  short len;
  FILE *f = NULL;

  if (argv[1] == NULL) goto error;

  max = sizeof(filename);
  len = strlen(argv[1]);

  if (argv[2] == NULL) goto error;

  if (len > max) goto error;

  strcpy(filename, argv[1]);
  if (access(filename, W_OK)) goto error;

  if (strncmp(filename, "/tmp/", strlen("/tmp/")) != 0) goto error;

  if ((f = fopen(filename, "a")) == NULL) goto error;
  fwrite(argv[2], strlen(argv[2]), 1, f);
  fclose(f);
  return 0;

 error:
 return -1;
}
poli mi
  • 21
  • 1
  • 5
  • (1) This also appears to be a duplicate of your question http://stackoverflow.com/questions/23503461/stack-smashing-buffer-overflow-detection from yesterday. (2) Possibly you pasted the wrong code here - your text talks about environment variables but the code never touches any. – nobody May 07 '14 at 16:48
  • I think his reference to environment variables is talking about a different way to trigger the exploit that they've discussed in class, not _this_ example. – Barmar May 07 '14 at 16:50
  • exactly @Barmar we usually put the shellcode in an environmental variable and send this variable to the vulnerable program. I dont know if this time I have to use an environmental variable or not. Andrew yes it is a duplicated of my question but I am sorry I am new to stack overflow and my post was put on hold. since I didnt know what to do I posted it again. thank you for your help guys :) – poli mi May 07 '14 at 16:57
  • Where the shellcode comes from is totally irrelevant. What matters is where you copy it to, and whether you do proper bounds checking when you copy it. – Barmar May 07 '14 at 17:00
  • See this help page for what to do when your question is put on hold: http://stackoverflow.com/help/closed-questions – Barmar May 07 '14 at 17:01
  • in my case I can only go out of only 1 byte in the line if (len > max-1) goto error; how can I put the shellcode in one character? I have been looking for this kind of solution. sending as argv[1] a string like example'\0'outofbounder so the outofbounder string can not be copied in the filename. is it possible? – poli mi May 07 '14 at 17:02

1 Answers1

0

You need to do:

if (len > max-1) goto error;

You need to subtract a byte to allow for the trailing null byte in the string.

This is an example of a fencepost error. Probably many buffer overflow errors are of this type.

Barmar
  • 741,623
  • 53
  • 500
  • 612