./executeme $(python -c 'print "<shell code here>"')
No shell code.
$(python -c 'print "<shell code here>"') | ./executeme
That gets me a shell, but I can't interact with it without getting a segmentation fault. So then I tried this:
$(python -c 'print "<shell code here>"') & cat flag.txt | ./executeme
I'm getting a command not found error.
So I go on to start reading OBO. I can go back to Execute Me anytime. Here is the interesting part of the program for OBO:
int hex_table[256];
void generate_hex_table(void) {
int i;
for (i = 0; i <= 256; ++i) {
hex_table[i] = -1;
}
for (i = 0; i <= 10; ++i) {
hex_table['0' + i] = i;
}
for (i = 0; i <= 6; ++i) {
hex_table['a' + i] = 10 + i;
}
for (i = 0; i <= 6; ++i) {
hex_table['A' + i] = 10 + i;
}
// I don't know why, but I was getting errors, and this fixes it.
hex_table[0] = 0;
}
int read_password(FILE *file, char *password, size_t n) {
fgets(password, n, file);
password[strcspn(password, "\n")] = '\0';
I think that OBO stands for Off By One. As in Off By One error in C programming. I was looking at the first for loop and noticed that he started variable "i" as 0. Then he iterates it to 256. If "i" started at one, that would be fine, but it doesn't. So, he iterated through the first for loop one too many times. Then I noticed the null byte (\0) which was tacked on the phrase "password[strcspn(password, "\n")] = '\0';" If I'm not mistaken, it overwrites the lowest memory byte. So I was wondering what was useful about that. I looked at Google, and found an article about a poison null byte. I also found a SANS white paper describing how to exploit an off by one error. I haven't tried yet, but from what I understand, one way to exploit it is, you control the address, so you can have the pointer point at a buffer, put shell code into the buffer, and you get shell.
It's kind of scary how much difference one byte can make.
https://www.sans.org/reading-room/whitepapers/threats/buffer-overflows-dummies-481
http://insecure.org/news/P55-07.txt
No comments:
Post a Comment