[Gera’s insecure programming] abo4.c

Pretty easy but still interesting. You have a buffer overflow vulnerability, but you don’t have control over the instruction pointer via overwriting the return address of the current caller. In fact, you while(1); before returning and using the stored instruction pointer.

The layout of the current stack frame is basically a buffer and a pointer pbuf. What you can do is overwriting the value of pbuf such to make it point to fn; the using the first strcpy to overwrite the value of fn such to make it a pointer to &system — instead of to &puts. The just pass /bin/sh as argv[3] making a call to system("/bin/sh").

# sysctl kernel.randomize_va_space=0
% gcc -w -m32 -g -O0 main.c -o main
% ./main $(python3 argv.py)
sh-4.4$
sh-4.4$

Exercises for the reader!!,

  1. I think it’s possible to exploit this simple binary even with ASLR enabled, making it leaking something…
  2. Since we control compilation — and we can make the stack executable, we could try injecting a shellcode inside the buffer and just make fn point to it.