5

Is this integer overflow exploitable and if the answer is yes, how can i exploit it? 

char buffer[20]; int len = atoi(argv[1]); if(len < 20) memcpy(buffer,argv[2],len);

If I set len to -1 the application crashes, because the number of bytes to copy is too long and there is a segfault. But is there a way or method to exploit the vulnerability?

Improve this question
3
  • @paj28 len is not argc though, it's argv[1].
    – billc.cn
    CommentedAug 17, 2016 at 14:24
  • If argv[1] is INT_MAX+1 then (len < 20) will return true, then memcpy will cause a buffer overrun - the 3rd parameter to memcpy is size_t, which is an unsigned int. As for "how to exploit" - that's too broad for here. Read some exploit basics and ask specific questions if you need.
    – paj28
    CommentedAug 17, 2016 at 14:51
  • size_t is very often unsigned 64 bits.
    – gnasher729
    CommentedMar 1, 2023 at 12:13

4 Answers 4

Reset to default
3

Yes

You don't need to use -1, any value larger than 20 will allow you to overflow the buffer.

It will depend on the next instructions and the mitigations set by the compiler, but from this point on you can probably overwrite the return address and execute a shell code provided as the second parameter.

Improve this answer
1
  • sorry, i forgot to add a check in the code which check if the len is smaller than 20
    – user126623
    CommentedJul 17, 2016 at 21:50
1

It's dangerous.

Is it exploitable? Possibly. You've already told us that you can cause a crash, so you may be able to DoS a system by crashing it... depending upon where argv1 comes from. If it's a hard coded value, or if it's generated by a calling app and can only ever be between 0 and 20, then it may not be exploitable in the system. It would still be a bad coding pattern, since a small change could make it exploitable. Or if it's never executed code, or if it's code that is only executed by the you and nobody else ever executes it, firewall rules preventing values below 0or above 20, etc, then it wouldn't be exploitable.

Is it executable? Maybe. We don't have enough information to determine either way. We don't know if the compiler inserts stack canaries. We don't know if there's other code that controls argv1 and forces it to be a safe value.

Try using !exploitable if you're running on windows if you want a hint (I don't remember the tools for other OSes).

Improve this answer
2
  • yes, i can control all arguments and it is a default simple c program. In linux.
    – user126623
    CommentedJul 17, 2016 at 22:15
  • 1
    It sounds like you are running this program in your own user space. That will only ever allow you to attack yourself. You need it to run in some other user's space for there to be anyone else to attack.
    – atk
    CommentedJul 17, 2016 at 22:16
0

Noone seems to think about the possibility that argv [1] is not a number. If you just enter "this" as first argument atoi returns 0, and you can also overflow the buffer because 0 < 20. atoi is not a good choice in many aspects. It is better to use strtol which allows you to detect input mistakes.

Improve this answer
2
  • 0 < 20 but copying 0 chars does not overflow buffer. Only copying more than 20 is an overflow (and possibly an exploit, depending on details of the data and compiled code).
    – dave_thompson_085
    CommentedAug 17, 2016 at 22:33
  • correct, I missed that len is used in memcpy
    – kaidentity
    CommentedAug 18, 2016 at 12:24
0

First you have a bug. The memcpy will be run if argv[1] < 0, with the value passed as a huge size_t value to memcpy.

Now you would examine what you could do with the bug. You can use it to memcpy from 2 billion to 4 billion bytes which will likely crash your app without any chance of damage. But you’d have to examine exactly what the application does.

But a crash might happen much earlier. It may happen when the string argv[2] runs out of data. If that string is 28 bytes in length then memcpy might crash after copying 28 bytes. Which might have overwritten main()s return address and main() returns to an address that the attacker chose.

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.