Buffer overflow #1

[poechsel]

Looking at the function receiveFileUpload we can see the following snippet:

my_ass_on_your_grass/src/network/ServerSocket.cpp

Lines 199 to 200 in 355151c

	if (size == port) {
	strcpy(stuff, big.c_str());

The problem is that stuff is only of size 4 and big can be very big (it is as big as the size of file...), so if we managed to execute the strcpy we should be able to trigger a buffer overflow and rewrite the rip.

Now, the condition size == port is true if the size of the file is equal to the port. The port number is generated "randomly" by the function getRandomPort:

my_ass_on_your_grass/src/network/ServerSocket.cpp

Lines 152 to 157 in 355151c

	int ServerSocket::getRandomPort() {
	// 42420 blaze it
	int portNumber = 12000 + (std::rand() % (42420 - 12000 + 1));
	return portNumber;
	}

However, the seed for the rand function is never initialized, and therefore is constant between executions of the server. The generated port numbers will always be the same. We can easily generate a file with the size of a port and include a payload in it to trigger the overflow.

Exploit:

This gist contains a python exploit generator that will:

• generate a payload.txt of size 31872 (first port generated by getRandomPort
• generate a overflow1.in file containing a sequence of command that will run the exploit

login q
pass q
put payload.txt 31873

[alex-chambet]

Nice write-up, well done!