2

So few days ago I started reading a paper about bypassing SSP/ProPolice and after I read it all I tried the bypasses but they didn't work. This is the code I used:

   int f (char ** argv){
         int pipa;  // useless variable
         char *p;
         char a[30];

         p=a;

         printf ("p=%x\t -- before 1st strcpy\n",p);
         strcpy(p,argv[1]);        // <== vulnerable strcpy()
         printf ("p=%x\t -- after 1st  strcpy\n",p);
         strncpy(p,argv[2],16);
         printf("After second strcpy ;)\n"); }

 void main (int argc, char ** argv){
         f(argv);
         execl("back_to_vul","",0);  //<-- The exec that fails
         printf("End of program\n"); }

And the compile command is: gcc -fstack-protector -z execstack -o f f.c So basically my problem is the reordering variable that place &p and &a above their buffer so that I cannot overwrite p's address by sending a large buffer. How I could bypass this?

David
  • 16,074
  • 3
  • 51
  • 74
AnonITA
  • 21
  • 1

1 Answers1

1

If the variables have been reordered so that p comes before a[30] in memory, and your only attack option is to overwrite p by overflowing the buffer in a, you cannot do it.

(At least not sensibly. You could try for an arithmetic overflow in strcpy() by passing in a 4GB string, but it's virtually certain you'd clobber something important before you wrapped around far enough to overwrite p.)

Mark
  • 34,646
  • 9
  • 87
  • 137