Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using 'crash' file to exploit BoF #7

Open
caballomaldito opened this issue Jan 22, 2019 · 2 comments
Open

Using 'crash' file to exploit BoF #7

caballomaldito opened this issue Jan 22, 2019 · 2 comments

Comments

@caballomaldito
Copy link

Assuming an application that performs reading of files as example, how could it be analyzed with Zerotool using the 'crash' file to exploit the buffer overflow?

Example: filereadapp /dir/mycrashfileBoF.png

Thanks!

@ChrisTheCoolHut
Copy link
Owner

You'll need to modify three files:

inputDetector.py

You'll need to add a detection strategy for identifying file open operations.
Checking for "open" or "fopen" will probably cover most CTF problems.

overflowDetector.py

In the checkOverflow function, you will need to add a
condition to check for each open file descriptor somewhere on line 57

if state_copy.globals['inputType'] == "FILE":

Your check will likely look something like:

for fd in len(state.posix.files):
    if 'AAAA' in state.posix.dumps(fd):
        #Copy STIDN/LIBPWNABLE detection logic

And you'll do pretty much the same in

overflowExploiter.py

If you send the challenge I'd be happy to add these changes.

@caballomaldito
Copy link
Author

Hi!

Here you have a simple parser of files with a buffer overflow vulnerability

create a fille called file.c with the following contents:

#include
#include

using namespace std;

//int main() {

int main(int argc, char* argv[])
{
if (argc > 1) {
cout << "argv[1] = " << argv[1] << endl;
} else {
cout << "No file name entered. Exiting...";
return -1;
}
ifstream myReadFile;
myReadFile.open(argv[1]);
char output[10];
if (myReadFile.is_open()) {
while (!myReadFile.eof()) {

myReadFile >> output;
cout<<output;

}
}
myReadFile.close();
return 0;
}

You can compile with the following commands:

g++ file.c -o file

Now, create a file called "myfile.txt" with more than 10 chars

petar@ubuntu:~/Desktop$ cat myfile.txt
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

To exploit:

./file myfile.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants