Need Help Overflowing C++ App

Need Help Overflowing C++ App

Post by Israel on Tue Jun 23, 2009 1:12 am
([msg=25790]see Need Help Overflowing C++ App[/msg])

Was scanning through the source code of this C++ application. Before I did any testing on it I noticed this:
Code: Select all
char str[20];
   sprintf(str,"%d\n",getpid());
   write(fd,str,strlen(str)); /* record pid to lockfile */

   // leave file open, so nobody else can lock it
   return true;


I'm not as familiar with C++ as I am C, but I looked up sprintf and saw it was exactly like printf but it writes its results to a string instead of stdout. Plus it doesn't look like any kind of bounds are set on protecting anyone from feeding "char str[20];" with more than it could hold. Did some nice experimenting with `perl -e 'print "A" x 21'` and got an error box from the application saying this either a corrupted file or not a valid file type. Tried many, many different sequences in that little perl string but never got a segmentation fault. (Possibly because this app is in C++, not C?) But I fired it up inside gdb (linux debugger) and when I used the list command it pointed exactly to the line with sprintf I have listed in the code above. I can even set a breakpoint on it but it doesn't seem to matter. I can't get seem to get eip?
Code: Select all
Breakpoint 1 at 0x80621e7: file /tmp/build/xxx/main.cpp, line 61.
(gdb) run `perl -e 'print "A" x 600'`
Starting program: /usr/bin/xxx `perl -e 'print "A" x 600'`
[Thread debugging using libthread_db enabled]
[New Thread 0xb5e6b6c0 (LWP 21085)]

Program exited normally.
(gdb) info reg eip
The program has no registers now.
(gdb)   


What can I do to find eip? Or am I just chasing my tail?(Not exploitable?)
User avatar
Israel
Experienced User
Experienced User
 
Posts: 74
Joined: Thu Sep 18, 2008 9:53 pm
Blog: View Blog (0)


Re: Need Help Overflowing C++ App

Post by BhaaL on Tue Jun 23, 2009 11:26 am
([msg=25814]see Re: Need Help Overflowing C++ App[/msg])

getpid() returns the process id. And I highly doubt you will ever have process ids with 20 digits.
Hence, unless you can do that, you wont be able to exploit that particular piece of code.
BhaaL
Poster
Poster
 
Posts: 270
Joined: Sun Apr 13, 2008 11:16 am
Blog: View Blog (0)


Re: Need Help Overflowing C++ App

Post by Israel on Wed Jun 24, 2009 3:26 am
([msg=25857]see Re: Need Help Overflowing C++ App[/msg])

getpid() returns the process id. And I highly doubt you will ever have process ids with 20 digits.
Hence, unless you can do that, you wont be able to exploit that particular piece of code.


Ok, I'm probably wrong, but I disagree with you. However, your comment has made me look at this differently. I was trying to feed this a string of A's because I saw the "char" but I didn't think about the %d means integers. True, I'll probably never see a process id 20 digits long. But I think you may be missing that I'm trying to inject a string or digits, not actually create a process id like that. Maybe your right and I am totally lost though...
User avatar
Israel
Experienced User
Experienced User
 
Posts: 74
Joined: Thu Sep 18, 2008 9:53 pm
Blog: View Blog (0)


Re: Need Help Overflowing C++ App

Post by BhaaL on Wed Jun 24, 2009 10:43 am
([msg=25873]see Re: Need Help Overflowing C++ App[/msg])

Israel wrote:But I think you may be missing that I'm trying to inject a string or digits, not actually create a process id like that. Maybe your right and I am totally lost though...


You're not injecting anything, you simply run the perl executable, and tell it to evaluate "print 'A' x 21", whereas the x-Operator prints A 21 times.
BhaaL
Poster
Poster
 
Posts: 270
Joined: Sun Apr 13, 2008 11:16 am
Blog: View Blog (0)


Re: Need Help Overflowing C++ App

Post by Israel on Wed Jun 24, 2009 11:57 pm
([msg=25894]see Re: Need Help Overflowing C++ App[/msg])

Hmmm... Seems I was a bit confused on terminology. This is all still very new to me. Never the less, I think your right now.
User avatar
Israel
Experienced User
Experienced User
 
Posts: 74
Joined: Thu Sep 18, 2008 9:53 pm
Blog: View Blog (0)



Return to C and C++

Who is online

Users browsing this forum: No registered users and 0 guests

cron