abo2.c

Tags:

I’ve tried to solve advanced buffer overflow #2 posted at http://community.corest.com/~gera/InsecureProgramming/abo2.html, spending about three days but to fail.

The target program to be exploited is as follows:
/* abo2.c                                       *
 * specially crafted to feed your brain by gera */

/* This is a tricky example to make you think   *
 * and give you some help on the next one       */

int main(int argv,char **argc{
        char buf[256];

        strcpy(buf,argc[1]);
        exit(1);
}

Any hack that tries to overflow buf[256] simply fails because of exit(1). Suppose that you succeeded in overwriting RET of main, then the exit(1) just finishes the program. The function, exit, does not even return; it’s over if exit is called.

Overwriting .got is impossible because buf would be located at 0xbff.. but the .got would exist around 0x08… Overwritng .dtors fails because of the same reasons.

See http://www.phrack.org/phrack/58/p58-0x0b for further explanation.

[quote]
Many people say that “its exploitation is not possible”. I go further saying “its exploitation is not possible in x86 architectures”, but in others like PA-RISC it can be exploitable.
[/quote]

The reason why the code mentioned above is exploitable in HP-UNIX lies in the way of growing a stack. In x86, stack grows from the higher address to the lower address space. In PA-RISC, stack grows to the opposite direction, making exploiting possible.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *