-1

hoping someone can help me understand a vulnerability I'm studying in college.

In the c code there is an unbound strcat

strcat(buffer, argv[1]);

The aim is to overflow this buffer into the saved EIP and have it display the "magic" string which is called in the below funtion.

if (geteuid() == 0) {

     printf("%s\n", magic);

} else {

     printf("Forget it. You do not have access to the magic string.\n");
     return (-1);
}

The difference from the buffer to the saved EIP is 52 bytes and my idea was to overflow the buffer with the address of the printf function that will display the magic string but cannot get this to work I keep geting Seg faults with memory addresses different to what I am inputting.

Any help greatly appreciated.

EDIT: Complete code below

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

enum { SIZE = 40 };

/* The magic string */
char *magic = "This is the magic string";

int
main(int argc, char *argv[])
{
  char buffer[SIZE];

  if (argc != 2) {
    printf("Usage: %s name\n", argv[0]);
    return (-1);
  }

  snprintf(buffer, sizeof (buffer), "%s", "Hello ");

  strcat(buffer, argv[1]);

  printf("%s\n", buffer);

  if (geteuid() == 0) {

    printf("%s\n", magic);

  } else {

    printf("Access Denied \n");
    return (-1);

  }

  return (0);
}
CShocks
  • 11
  • 2
  • This is meaningless to discuss without a specific system in mind. We also need a [mcve] to reproduce the bug. And finally, why do you think your specific system stores the string on the 52 byte offset address? – Lundin Dec 04 '18 at 12:28
  • Apologies @Lundin, new to stack overflow :/ It's a 32 bit linux system , adding complete code to question now. In GDB I took the address of the saved EIP register and the address of buffer and using p/d x-y it came to be 52 – CShocks Dec 04 '18 at 12:47
  • The biggest problem is in the title. There is no BSS. – Antti Haapala -- Слава Україні Dec 04 '18 at 12:55
  • OK turns out I'm more lost than I thought, can anyone point me in the right direction of how I could get to the magic string here? – CShocks Dec 04 '18 at 14:07
  • Overall, study some artificial "exploits" like this is quite useless practice. In real world hacking, you won't have the source code or memory map of the executable. – Lundin Dec 04 '18 at 14:40

1 Answers1

0

For an explanation of the different terms, with an example, see this.

Looking at your code:

  • magic is stored in .data. It points to a string literal stored in .rodata/.text or similar.
  • buffer is stored in .stack.
  • The result of geteuid() is stored in some temporary location, CPU register or stack.

So nothing of this makes any sense. Most notably there is no .bss allocation anywhere in the program, except maybe by some internals inside library function. I suppose someone had a muddled idea about assuming that the program could somehow overwrite the result of geteuid() with the null terminator appended by strcat()... but that doesn't make any sense either.

Lundin
  • 195,001
  • 40
  • 254
  • 396