Exploiting Security Issues

99% of the time when you discover a security problem in a program documenting it is sufficient for your report to be read, understood and accepted.

However there are times when somebody will be skeptical of a report, and on those times having a working script to exploit a weakness will focus their attention.

Many of the earlier problems I reported fell into two simple classes:

  • Missing bounds checks on environment variable usage.
  • Missing bounds checks when copying command line arguments.

Rather than code exploits for each particular target I came up with a generic approach, two command line tools which would attempt to exploit these problems in a simple fashion.

If you would like more details I'd suggest reading Smashing the stack for fun & profit.

cmd-overflow

The cmd-overflow tool is designed to automatically exploit vulnerable code which involves copying the contents of a command line argument into a fixed sized buffer.

Vulnerable code typically looks like this:

int main( int argc, char *argv[] )
{
   char buffer[1024];

   ...

   sprintf( buffer, "/etc/%s", argv[ 1 ] );

   ...

   return 1;
}

env-overflow

The env-overflow tool is designed to automatically exploit vulnerable code which involves copying the contents of an environmental variable into a fixed sized buffer, with no bounds checking.

Vulnerable code looks like this:

void someFunction( )
{
   char buffer[ 256 ];

   ..
   sprintf( buffer, "%s/.foorc", getenv( "HOME" ) );
   ..
}

Download