Aaron Bloomfield (aaron@virginia.edu)
@github | ↑ |
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv) {
int ch = 0, i = 0;
FILE *f = NULL;
static char buffer[16], *szFileName = "C:\\harmless.txt";
ch = getchar();
while (ch != EOF) { /* User input can overflow buffer[] */
buffer[i++] = ch; ch = getchar();
}
f = fopen(szFileName, "w+b"); /* might be modified! */
fputs(buffer, f);
fclose(f);
return 0;
}
buffer[]
is overflowed with keyboard input, it will overwrite szFilename
:szFileName
point anywhere he wantsargv[1]
; this means he can pass in a file name on the command line!C:\autoexec.bat
or some other protected system file name on the command line; if this program is a system utility that runs with admin privileges, the system file can be overwrittenbuffer[]
received malicious code, plus a bogus stack frame, from the keyboard, as hex stringsbuffer[]
printf()
, fprintf()
, wprintf()
, sprintf()
, etc.)printf()
) is not a fixed stringvoid vuln(char buffer[256]) {
printf(buffer);
/* Bad; good would be: printf("%s",buffer) */
}
int main(int argc, char *argv[]) {
char buffer[256] = ""; /* allocate buffer */
if (2 == argc) /* copy command line */
strncpy(buffer, argv[1], 255);
vuln(buffer);
return 0;
}
vuln-32bit.exe
and vuln-64bit.exe
%x
on the command line?%x
on the command line, then printf() will receive a pointer to a string with "%x"
in it on the stackprintf()
will see the %x
and assume there is another parameter above it on the stackprintf()
is seen in next diagramprintf()
, but before the prologue code in printf()
:printf()
to vuln()
vuln()
to main()
%x%x%x%x%x%x%x%x
, it will print the values on the stack
%lx
instead of %x
printf()
to write to memory via %n
:nBytesWritten
%hn
for a short, or %ln
for a long%.4196006u
Consider the exploitable.c (html) code:
int exploited() {
printf("Got here!\n");
exit(0);
}
int main(void) {
char buffer[100];
while (fgets(buffer, sizeof buffer, stdin)) {
printf(buffer);
}
return 0;
}
exploited()
will be called, but we won’t see that here
malloc()
) allocates a small control block, with pointer and size fields, just before the memory that is allocatedcanary
, as in the “canary in a coal mine”buffer[]
tramples on canarykey_arg[]
that was just big enough to hold a valid 8-byte key
free()
function
free()
differs among Apache revisions and among different Linux revisions for which Apache was compiledfree()