tags:

views:

217

answers:

3
Q: 

printf executing .exe files in cygwin

so i had an assignment requiring me to 'break' a piece of vulnerable code. snippet:

int main(int argc, char **argv)
{

/*...*/

  while(i < argc-1)
  {
    switch(argv[i][0]-48)
    {
      case 1:
      SmashHeap(argc,argv);
    break;
/*...*/
      case 8:
      PrintfVulnerability(argv[++i]);
    break;
    default:
      printf("%s is not recognized by this program",argv[i++]);
/*...*/
    }
  i++;
  }
  return (1);
}

void PrintfVulnerability(char *F)
{
  printf(F);
}

in the end, i found it was so amazingly simple that im afraid i might get a poor grade... my solution:

  • copypasta an executable into the home directory... i used freecell.exe
  • $ ./VulnerableCode 8 [backtick]freecell.exe[backtick]

poof!! im playing freecell. why did this work???

+3  A: 

EDIT: Ah, I see your edit. Unfortunately those backticks explain a lot, in bash (cygwin's default shell) backticks is instructing the shell to execute the string as a shell command. So all your command is doing is telling the shell to run freecell. just pass freecell.exe unquoted and that will actually be passing the string to the program.

Though, you should take a look at the link I posted in the below paragraph, as it might give you an idea of an exploit you can run on case 8.

Old Answer: I'll have to leave a more in depth answer to someone who has better knowledge about the windows architecture, as I don't see how your command line could possibly cause freecell.exe to be launched (btw, does "freecell.exe" also get printed to the console?). However, at a high level case 8 is vulnerable to Format string attacks, which can take advantage of the fact that print assumes that the first argument is a format string, which dictates {whether or not it has arguments, the type of the arguments}. This can be used in a variety of exploits depending on the buffer you pass it. Again, I don't see how it would lead to the launching of a process in your case.

Falaina  2009-09-28 13:18:20
edited formatting on the command line, please see above comment
rusl  2009-09-28 13:30:10
Right, so you still have some work to do regarding this. If you can't come up with a way to exploit this, consider posting the other potential exploits in the program and maybe someone on SO can help nudge you int the right direction.
Falaina  2009-09-28 13:42:48
welll nutbunnies. back to the drawing board. thanks for the help!
rusl  2009-09-28 14:02:20
A: 

Are you using cygwin or any other bash variant?

I ask because the $ at the start of the command looks like bash, and the command:

./VulnerableCode 8 [backtick]freecell.exe[backtick]

looks like bash syntax with the backticks.

If so, it's easy to explain: bash executes the command between the backticks as a separate command, and puts the resultant stdout text into the command to be passed to the VulnerableCode command.

Your code never sees the text "freecell.exe" just its output. So, it's not a vulnerability in the code you were given, just an way of stringing together commands in bash.

pxb  2009-09-28 13:40:45
oops, didn't see James's comment before sending mine. Sorry for the dupe.
pxb  2009-09-28 14:34:27
A: 

In Unix/Linux environments the backticks are used to run the command within the backticks and provide that command's output to the preceding command. So, ls [backtick]echo .[backtick] will ls the current directory.

Your command, in cygwin, thus ran freecell.exe and was waiting for freecell to finish to supply the output of freecell to VulnerableCode.

james  2009-09-28 13:41:46

related questions

What are some advanced and modern resources on exploit writing?
Can anyone de-obfuscate this exploit?
Are there security issues when dynamically loading external content into a page using jQuery?
Protect IE6 from exploits when testing?
Heap Spray Internet Explorer 8
How would I go about prevent DLL injection.
Would a C#/.Net web browser be susceptible to exploits?
Risk of exploits "backwards" into outbound tcp connections.
Hacking and exploiting - How do you deal with any security holes you find?
I don't understand this Code
How long should it take an average coder to understand a buffer overflow?
How are buffer overflows used to exploit computers?
To what does "zero day" refer?
Help me understand this JavaScript exploit
how do widgets like "http://sharethis.com/" make what seem to be XSS calls
What is this Base64 Look-alike?
Stack Overflow Exploit in C
Using a Single system() Call to Execute Multiple Commands in C
Sanitizing MySQL user parameters.
possible javascript exploits from exposed link?
Can you find the web security issue here?
What's the best way to detect web applications attacks ?
Executing JavaScript from Flex: Is this javascript function dangerous?
Decode email address from Gravatar hash?