/prog/ - /prog/-challenge: HAX MY ANUS

Name: Anonymous 2010-08-31 18:13

Your task:

Write a program that exploits the buffer overflow in the following program, to let it display the string ``Hello World'' on Linux i386:

#include <stdio.h>

#include <stdlib.h>

#include <string.h>



char *readstuff(int length) {

  char *buffa;



  if((buffa = malloc(length)) == NULL)

    return;

  gets(buffa);

  return buffa;

}



int main(int argc, char **argv) {

  char *buffa;



  buffa = readstuff(argc);

  free(buffa);

  return EXIT_SUCCESS;

}

Deadline is this sunday night 23:59:59

Name: Anonymous 2010-08-31 18:18

Supplemental:

<yourprogram> | ./buffa shall output ``Hello World''.

Name: Anonymous 2010-08-31 18:56

So basically what you're asking is a tutorial on buffer overflows? Because every program that does that is going to be almost exactly the same.

Name: Anonymous 2010-08-31 18:57



system("AdobeReader.exe someExploitFile.pdf");

Name: Anonymous 2010-08-31 19:06

>>2

#include <stdio.h>



int main() {

    fprintf(stderr, "``[u]Hello World[/u]''\n");

    return 0;

}

Name: Anonymous 2010-08-31 19:29

printf

Name: Anonymous 2010-08-31 19:43

Nice homework you've got there. Hate for something to happen to it.
And please change that title, we don't want that /b/ stuff in here.

Name: Anonymous 2010-08-31 19:44

print "Hello World!";

Name: Anonymous 2010-08-31 20:03

>>7
Fuck off, ``faggot''.

>>1
I can cook you up a solution, but only for x86-64. Want it?

Name: >>9 2010-08-31 20:22

Also, you'll have to blow me.

Name: Anonymous 2010-08-31 20:49

Can i smash the stack for fun and profit using LISP?

Name: Anonymous 2010-09-01 1:05

>>9
Lead by example.

Name: Anonymous 2010-09-01 1:08

>>9
Sure, go ahead.

Name: Anonymous 2010-09-01 1:20

>>12
Fuck off, ``faggot''.

Name: C99 2010-09-01 1:22

#include <stdio.h>

int main(void) {

  gets((char []){0});

}

Name: Anonymous 2010-09-01 1:32

>>14
Lead by example.

Name: Anonymous 2010-09-01 1:36

>>16
Fuck off, ``faggot''.

Name: Anonymous 2010-09-01 2:17

>>17
Lead by example.

Name: Anonymous 2010-09-01 3:11

>>1
This isn't a "traditional" buffer overflow, it's just completely incorrect code.

The readstuff function allocates a buffer of size N where N is the number of arguments passed to the program. So if you just run ./buffa as you specified, then argc will be zero.

So then when you hit this line of code:



  if((buffa = malloc(length)) == NULL)

    return;

malloc will probably return zero (who knows) and you'll just return, but that function must return a value... shit, your code won't even compile.

Name: Anonymous 2010-09-01 4:24

^zawa _zawa

Name: Anonymous 2010-09-01 4:29

>>20
back to Espoir, please

Name: Anonymous 2010-09-01 4:40

>>21
Kaiji is a computer science graduate who was forced to gamble due to developer outsourcing.

True story.

Name: Anonymous 2010-09-01 5:09

>>19
In your case length will be 1.
Also, the code will ^compile just fine.

Name: Anonymous 2010-09-01 5:12

Updated version, so >>19 will be happy:

#include <stdio.h>

#include <stdlib.h>

#include <string.h>



char *readstuff(int length) {

  char *buffa;



  if((buffa = malloc(length)) == NULL)

    return NULL;

  gets(buffa);

  return buffa;

}



int main(int argc, char **argv) {

  char *buffa;



  buffa = readstuff(argc);

  if(buffa) free(buffa);

  return EXIT_SUCCESS;

}

Name: Anonymous 2010-09-01 5:17

>>18,21
Fuck off, ``faggot''.

Name: Anonymous 2010-09-01 13:53

>>25
Fuck off, ``XARN''.

Name: Anonymous 2010-09-01 16:14

>>5 won.

Name: Anonymous 2010-09-01 17:26

>>27
>>5 didn't exploit a _buffer ^overflow. Also the deadline isn't over, yet.

Name: Anonymous 2010-09-01 20:36

>>28
The buffer was so flewn over that it didn't even touch the program.

Name: Anonymous 2010-09-01 21:30

>>19
argc will never be zero on any sane system.

Name: Anonymous 2010-09-02 2:04

>>30
You're right. I forgot that the executable name counts as argv[0]. So the program always allocates a single byte. It's still completely incorrect and not what OP intended.

Or, if it was intended to work that way, it would be better written as:



#include <stdio.h>



int main(int argc, char **argv)

{

   char c;

   gets(&c);

   return 0;

}

The only difference is that the pointer points to the stack where his points to the heap. No real difference in "exploitability." If it absolutely has to be a heap pointer, do this:



#include <stdio.h>

#include <stdlib.h>



int main(int argc, char **argv)

{

   char *c = malloc(1);

   if (!c) return 1;

   gets(c);

   free(c);

   return 0;

}

... although the check for malloc(1) failing seems a little unnecessary.

Name: Anonymous 2010-09-02 12:43

void main(void){ ... }

I mean, if you're not writing for a microcontroller, why are you using C?

Name: Anonymous 2010-09-02 12:47

>>30
>pulling things out of your ass to sound like an expert
>has never touched a computer

Name: Anonymous 2010-09-02 20:23

the check for malloc(1)
I like how readstuff returns without a value if that failed. That made me laugh a bit, in a disturbed way, because I've seen code like that -- and it's often the very same people who also use dangerous functions like gets.

Name: Anonymous 2010-09-03 7:51

>>33
Don't know how to quote
...
Fuck this, I'm not dropping to your _{i^{m^{a_{g_{e^{b^{o_{a_{r^{d _{s_c^{u^m}}}}}}}}}}}} quoting level. Learn C.

^{I^{H^B_T}}

Name: Anonymous 2010-09-05 6:09

The deadline is near. Any serious submissions?

Name: Anonymous 2010-09-05 7:03

>>36
I'm not hacker, i'm an artist.

Name: Anonymous 2010-09-05 7:07

>>36
What do you want? There's a possibility for a heap overflow, but that's not going to help you

Name: Anonymous 2010-09-05 8:19

So which time zone is this?

Name: Anonymous 2010-09-05 9:14

>>39
Paris, I believe. You can tell by the high level of homosexuality.

/prog/-challenge: HAX MY ANUS

1 Name: Anonymous 2010-08-31 18:13

2 Name: Anonymous 2010-08-31 18:18

3 Name: Anonymous 2010-08-31 18:56

4 Name: Anonymous 2010-08-31 18:57

5 Name: Anonymous 2010-08-31 19:06

6 Name: Anonymous 2010-08-31 19:29

7 Name: Anonymous 2010-08-31 19:43

8 Name: Anonymous 2010-08-31 19:44

9 Name: Anonymous 2010-08-31 20:03

10 Name: >>9 2010-08-31 20:22

11 Name: Anonymous 2010-08-31 20:49

12 Name: Anonymous 2010-09-01 1:05

13 Name: Anonymous 2010-09-01 1:08

14 Name: Anonymous 2010-09-01 1:20

15 Name: C99 2010-09-01 1:22

16 Name: Anonymous 2010-09-01 1:32

17 Name: Anonymous 2010-09-01 1:36

18 Name: Anonymous 2010-09-01 2:17

19 Name: Anonymous 2010-09-01 3:11

20 Name: Anonymous 2010-09-01 4:24

21 Name: Anonymous 2010-09-01 4:29

22 Name: Anonymous 2010-09-01 4:40

23 Name: Anonymous 2010-09-01 5:09

24 Name: Anonymous 2010-09-01 5:12

25 Name: Anonymous 2010-09-01 5:17

26 Name: Anonymous 2010-09-01 13:53

27 Name: Anonymous 2010-09-01 16:14

28 Name: Anonymous 2010-09-01 17:26

29 Name: Anonymous 2010-09-01 20:36

30 Name: Anonymous 2010-09-01 21:30

31 Name: Anonymous 2010-09-02 2:04

32 Name: Anonymous 2010-09-02 12:43

33 Name: Anonymous 2010-09-02 12:47

34 Name: Anonymous 2010-09-02 20:23

35 Name: Anonymous 2010-09-03 7:51

36 Name: Anonymous 2010-09-05 6:09

37 Name: Anonymous 2010-09-05 7:03

38 Name: Anonymous 2010-09-05 7:07

39 Name: Anonymous 2010-09-05 8:19

40 Name: Anonymous 2010-09-05 9:14