views:

217

answers:

3

so i had an assignment requiring me to 'break' a piece of vulnerable code. snippet:

int main(int argc, char **argv)
{

/*...*/

  while(i < argc-1)
  {
    switch(argv[i][0]-48)
    {
      case 1:
      SmashHeap(argc,argv);
    break;
/*...*/
      case 8:
      PrintfVulnerability(argv[++i]);
    break;
    default:
      printf("%s is not recognized by this program",argv[i++]);
/*...*/
    }
  i++;
  }
  return (1);
}

void PrintfVulnerability(char *F)
{
  printf(F);
}

in the end, i found it was so amazingly simple that im afraid i might get a poor grade... my solution:

  • copypasta an executable into the home directory... i used freecell.exe
  • $ ./VulnerableCode 8 [backtick]freecell.exe[backtick]

poof!! im playing freecell. why did this work???

+3  A: 

EDIT: Ah, I see your edit. Unfortunately those backticks explain a lot, in bash (cygwin's default shell) backticks is instructing the shell to execute the string as a shell command. So all your command is doing is telling the shell to run freecell. just pass freecell.exe unquoted and that will actually be passing the string to the program.

Though, you should take a look at the link I posted in the below paragraph, as it might give you an idea of an exploit you can run on case 8.

Old Answer: I'll have to leave a more in depth answer to someone who has better knowledge about the windows architecture, as I don't see how your command line could possibly cause freecell.exe to be launched (btw, does "freecell.exe" also get printed to the console?). However, at a high level case 8 is vulnerable to Format string attacks, which can take advantage of the fact that print assumes that the first argument is a format string, which dictates {whether or not it has arguments, the type of the arguments}. This can be used in a variety of exploits depending on the buffer you pass it. Again, I don't see how it would lead to the launching of a process in your case.

Falaina
edited formatting on the command line, please see above comment
rusl
Right, so you still have some work to do regarding this. If you can't come up with a way to exploit this, consider posting the other potential exploits in the program and maybe someone on SO can help nudge you int the right direction.
Falaina
welll nutbunnies. back to the drawing board. thanks for the help!
rusl
A: 

Are you using cygwin or any other bash variant?

I ask because the $ at the start of the command looks like bash, and the command:

./VulnerableCode 8 [backtick]freecell.exe[backtick]

looks like bash syntax with the backticks.

If so, it's easy to explain: bash executes the command between the backticks as a separate command, and puts the resultant stdout text into the command to be passed to the VulnerableCode command.

Your code never sees the text "freecell.exe" just its output. So, it's not a vulnerability in the code you were given, just an way of stringing together commands in bash.

pxb
oops, didn't see James's comment before sending mine. Sorry for the dupe.
pxb
A: 

In Unix/Linux environments the backticks are used to run the command within the backticks and provide that command's output to the preceding command. So, ls [backtick]echo .[backtick] will ls the current directory.

Your command, in cygwin, thus ran freecell.exe and was waiting for freecell to finish to supply the output of freecell to VulnerableCode.

james