Find the answer to your Linux question:
Results 1 to 2 of 2
Hello, I am in a Unix security class and we have this program with a bufferoverflow to exploit. There are 2 files on the system one called /etc/games.hiscore & /etc/games.usrpasswd. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2005
    Posts
    65

    exploiting a buffer overflow for security class


    Hello,
    I am in a Unix security class and we have this program with a bufferoverflow to exploit. There are 2 files on the system one called /etc/games.hiscore & /etc/games.usrpasswd. They both have the same permissions as /etc/shadow and owned by user games. I have to run a program called /usr/local/bin/chkscore. This program runs setuid to set userid on the above files to root.

    The program asks for your name at input. the only reason for this name string is to hold a place in memory next to the name of the string2 which is the games.hiscore file. The overflow is in this name string. This string can be made to invade memory space of string2.

    I wrote a script like this:
    #/bin/bash
    cat data2 | /usr/local/bin/chkscore


    the data file contains:
    aaaaaaaaaaaaaaaaaaaaaaaaaa./hack


    The aaaaa's is the junk I need for filler to make the buffer overflow. The ./hack script contains: hack /etc/games.userpasswd. When they allign just right the ./hack script should be called by the chkscore program and set my script to run as root and then cat out the password file to th e screen instead of the high scores.
    I dont know if it works, but I tried many combinations of chars and it still dont line up right. If I set the chars less than 31 the program works as normal because the buffer breaks after 30 chars.

    If anybodywho knows about this could look at the code and let me know if I am on the right track, it would be much appreciated.
    Thanks,
    art

  2. #2
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    Locking this thread...unfortunately, though a valid question (i.e. - not asking us to do your homework for you), it's still on the border being about exploiting bugs in code. Please re-ask the question in a more specific-to-code (i.e.-not having to do with exploits) question.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •