vuln.c

#include

#include

#include

long x = 0, y = 0, z = 0;

FILE *fp = NULL;

void bubbleSort() {

long swap = 0;

long array[39];

// loading data to array

printf("Source list: ");

char line[sizeof(long) * 2 + 1] = {0};

while(fgets(line, sizeof(line), fp)) {

if (strlen((char *)line) > 1) {

sscanf(line, "%lx", &(array[x]));

printf("0x%lx ", array[x]);

++x;

}

}

fclose(fp);

// do bubble sorting

for (y = 0 ; y < ( x - 1 ); y++)

{

for (z = 0 ; z < x - y - 1; z++)

{

if (array[z] > array[z+1])

{

swap = array[z];

array[z] = array[z+1];

array[z+1] = swap;

}

}

}

// output sorting result

printf(" Sorted list in ascending order: ");

for ( y = 0 ; y < x ; y++ )

printf("%lx ", array[y]);

}

int main(int argc, char **argv)

{

if(argc!=2)

{

printf("Usage: ./vuln file_name ");

return -1;

}

fp = fopen(argv[1], "rb");

bubbleSort();

return 0;

}

************************************

sample.txt

7 d0 80 5 a

************************************

1) Save the file vuln.c and sample.txt

2) Compile the provided C code (which you will be exploiting): gcc vuln.c -o vuln -fno-stackprotector (DO NOT use other options)

3) To run this program, put some hexadecimal integers in the file: sample.txt, and execute vuln by: ./vuln sample.txt

4) When you put a very long list of integers in sample.txt, you will notice vuln crashes with memory segfault, this is because the return address has been overwritten by your data. Pay attention to the non-binary allocated buffer and what it does to the stack structure (and you can see this in GDB).

5) Now you can craft your shellcode in sample.txt. Again, your goal is to overwrite the return address with the address of function system() and pass it with the address of string bin/sh. Do not use environment variables to store these addresses and then access those environment variables.

Use the library addresses of system() and bin/sh explicitly. GDB (if youre using GDB for the first time, we recommend checking out GdbInit) can be used to find these library addresses and test/debug your exploit. However, it should be noted that your final exploit (i.e., the final version of your sample.txt) should work outside of GDB. Just running ./vuln sample.txt should spawn a shell for you.

6) You can verify the exploit has occurred because you will get a new, clean command prompt. But, how do we know it is not the same bash shell that invoked the vuln program?

To verify you have successfully caused a buffer overflow, issuing echo $$ will give the process ID of the current process. Issuing: echo $$ (shows PID of current bash shell), then run ./vuln sample.txt, (then after vuln completes to a clean shell) issue echo $$ to show the PID of the current exploited shell. (noted echo $0 instead of or in addition to echo $$ will return the name of the current shell).

-- You will also see a different command prompt in the terminal the successful exploit should simply be a $

7) Provide a screenshot of you exploiting vuln.