2

I have been searching online for a few days but still cannot figure out what is the vulnerability for below code. My first thought is that we can do overflow for int 'length' and then do buffer overflow exploit to copy shell code and return address to buffer. However the 'length' size in the code is preventing a buffer overflow. Can anyone shed some lights on how to exploit this program? thanks much!

void copy_str(char *buffer2, int buffer2_l, char *input)
{
   int i, length;

   length = strlen(input);
   if (length > buffer2_l)
     length = buffer2_l;

   for (i = 0; i <= **length**; i++)
       buffer2[i] = input[i];
}

void vul2(char *arg)
{
  char buffer[109];

  copy_str(buffer, sizeof buffer, arg);
 }

void vul1(char *argv[])
{
   vul2(argv[1]);
}
int main(int argc, char *argv[])
{
  if (argc != 2)
    {
      fprintf(stderr, "program2: argc != 2\n");
      exit(EXIT_FAILURE);
    }
  vul1(argv);
  return 0;
}
Improve this question
3
  • Hint: if argv[1] is, say, 200 characters long, how many bytes are copied into buffer? How many iterations of the for loop are executed? (If you don't see it, try changing buffer to char buffer[1].) Commented Sep 19, 2015 at 5:01
  • hi thanks for your reply. my understanding is that if argv[1] is 200 characters long, only 109 bytes will be copied to buffer, for loop will be executed 109 times. no buffer overflow in that case. so the question here is how can be write the intended shell code and return address to buffer with such length check? Commented Sep 19, 2015 at 5:13
  • checkout this vedio for Georgia Weidman vimeo.com/33106013 Commented Dec 17, 2016 at 21:41

1 Answer 1

Reset to default
2

If argv[1] is 109 characters or longer, you'll overrun buffer by 1 char, since you use <= for your length comparison.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

hi if can only overwrite by one byte? how does it help in exploit?
@kevin It's undefined behavior, meaning anything can happen. Practically, that byte might happen to be part of a return address. While unlikely to be useful in isolation, this could make a separate vulnerability viable, for example one that allows an attacker to add executable pages to a target process, but can't actually jump to it. Most real-world exploits use a combination of vulnerabilities that might seem harmless in isolation.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.