Graphics Programs Reference
In-Depth Information
while(recv(sockfd, ptr, 1, 0) == 1) { // Read a single byte.
if(*ptr == EOL[eol_matched]) { // Does this byte match terminator?
eol_matched++;
if(eol_matched == EOL_SIZE) { // If all bytes match terminator,
*(ptr+1-EOL_SIZE) = '\0'; // terminate the string.
return strlen(dest_buffer); // Return bytes recevied.
}
} else {
eol_matched = 0;
}
ptr++; // Increment the pointer to the next byte.
}
return 0; // Didn't find the end-of-line characters.
}
The
recv_line()
function in hacking-network.h has a small mistake of
omission—there is no code to limit the length. This means received bytes
can overflow if they exceed the
dest_buffer
size. The tinyweb server program
and any other programs that use this function are vulnerable to attack.
0x481
Analysis with GDB
To exploit the vulnerability in the tinyweb.c program, we just need to send
packets that will strategically overwrite the return address. First, we need to
know the offset from the start of a buffer we control to the stored return
address. Using GDB, we can analyze the compiled program to find this;
however, there are some subtle details that can cause tricky problems. For
example, the program requires root privileges, so the debugger must be run
as root. But using
sudo
or running with root's environment will change the
stack, meaning the addresses seen in the debugger's run of the binary won't
match the addresses when it's running normally. There are other slight
differences that can shift memory around in the debugger like this, creating
inconsistencies that can be maddening to track down. According to the
debugger, everything will look like it should work; however, the exploit fails
when run outside the debugger, since the addresses are different.
One elegant solution to this problem is to attach to the process after it's
already running. In the output below, GDB is used to attach to an already-
running tinyweb process that was started in another terminal. The source is
recompiled using the
-g
option to include debugging symbols that GDB
can apply to the running process.
reader@hacking:~/booksrc $ ps aux | grep tinyweb
root 13019 0.0 0.0 1504 344 pts/0 S+ 20:25 0:00 ./tinyweb
reader 13104 0.0 0.0 2880 748 pts/2 R+ 20:27 0:00 grep tinyweb
reader@hacking:~/booksrc $ gcc -g tinyweb.c
reader@hacking:~/booksrc $ sudo gdb -q --pid=13019 --symbols=./a.out
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
Attaching to process 13019
/cow/home/reader/booksrc/tinyweb: No such file or directory.
A program is being debugged already. Kill it? (y or n) n
Program not killed.
