Jump to content
Tuts 4 You

Explore the Vulnerability in the following snippets - Help Requried

mystery_reverser

By mystery_reverser
in Malware Reverse Engineering

 Share

Recommended Posts

mystery_reverser

mystery_reverser

Posted
Posted (edited)

Hello Guys,

I am a newbie to reverse engineering vulnerabilities. Following are some of the vulnerable codes, for which I want to know the answer for the following questions.

It would be great if you guys explain elaborately so that I can kick start my vulnerability analysis with a bang. Please help me out guys.

You can mail me the answers to mysteryreverse@gmail.com or post it here as doc file.

Regards,

Mystery

Here is the doc file!!

Vulnerablitity.zip

Vulnerablitity.doc

Edited by quosego
quosego

quosego

Posted
Posted

subl $132, %esp

[...]

pushl $256

leal -132(%ebp), %ebx

1. Linux asm seems inverted. ;)

2. I'm not really an exploit kind of guy. So don't blame me if I'm wrong.

3. Assuming 256 is the max length of the stream which is retrieved by fgets substracting only 132 of the stack means you can feed a bigger stream than this and corrupt the stack which can be used to execute code.

PHP exploits are not my speciality. :) So nothing there.. Prolly sql injects or so..

And btw is this your homework. ;)

mystery_reverser

mystery_reverser

Posted
  • Author
Posted

Yeah its a part of that!!!

Anyway can anybody let me know the right one guys!!!!

subl $132, %esp

[...]

pushl $256

leal -132(%ebp), %ebx

1. Linux asm seems inverted. ;)

2. I'm not really an exploit kind of guy. So don't blame me if I'm wrong.

3. Assuming 256 is the max length of the stream which is retrieved by fgets substracting only 132 of the stack means you can feed a bigger stream than this and corrupt the stack which can be used to execute code.

PHP exploits are not my speciality. :) So nothing there.. Prolly sql injects or so..

And btw is this your homework. ;)

Hyperlisk

Hyperlisk

Posted
Posted (edited)

#1: XSS vulnerability, easily. Pass in <script>alert('XSS');</script> for $_GET['name'] and watch it go~

#2: Obvious SQL injection here. Something like: ','',''); DROP TABLE users-- might work, I've never been one for SQL injections.

#3: Buffer overflow vulnerability. I don't really know how to exploit these, yet.

#4: ^

1. Linux asm seems inverted. ;)

That's just AT&T syntax :P But I'm sure you know that. Ugh, I despise AT&T syntax. It's makes so little sense when you're used to Intel syntax!

Edited by Hyperlisk
JMC31337

JMC31337

Posted
Posted (edited)

#3 Buffer Overflow:

For starters your using a C-coded program to do CGI work. Getenv("INPUT") is cgi.. to help ya understand this a lil better look at my modded up version of your code i wrote in Dev-c++... when you goto run this wait a few, the 300 chars will print and it most def will crash and print a minidump


#include <stdlib.h>
#include <stdio.h>
#include <string.h>int main() {
  char *tmp;
  char buf[256];
  //tmp = getenv("INPUT");
  tmp="10101010101010101010101010101010101010101010101010"
        "10101010101010101010101010101010101010101010101010"
        "10101010101010101010101010101010101010101010101010"
        "10101010101010101010101010101010101010101010101010"
        "10101010101010101010101010101010101010101010101010"
        "10101010101010101010101010101010101010101010101010";
  if (tmp != NULL) {
    strncpy(buf, tmp, strlen(tmp));
    printf("INPUT: %s\n");
  } else {
    exit(1);
  }
  return(0);
}

head over to IBM's site and look for "Make your software behave: Preventing buffer overflows"

Edited by JMC31337
Hyperlisk

Hyperlisk

Posted
Posted

#3 Buffer Overflow:

For starters your using a C-coded program to do CGI work. Getenv("INPUT") is cgi.. to help ya understand this a lil better look at my modded up version of your code i wrote in Dev-c++... when you goto run this wait a few, the 300 chars will print and it most def will crash and print a minidump


#include <stdlib.h>
#include <stdio.h>
#include <string.h>int main() {
  char *tmp;
  char buf[256];
  //tmp = getenv("INPUT");
  tmp="10101010101010101010101010101010101010101010101010"
        "10101010101010101010101010101010101010101010101010"
        "10101010101010101010101010101010101010101010101010"
        "10101010101010101010101010101010101010101010101010"
        "10101010101010101010101010101010101010101010101010"
        "10101010101010101010101010101010101010101010101010";
  if (tmp != NULL) {
    strncpy(buf, tmp, strlen(tmp));
    printf("INPUT: %s\n");
  } else {
    exit(1);
  }
  return(0);
}

head over to IBM's site and look for "Make your software behave: Preventing buffer overflows"

Pretty sure this is like his homework or something, he's not the one that wrote it.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...