Last weekend I went to fosscomm 2011, a Greek conference on Free and Open Source Software, together with my friend Nick Kossifidis (mickflemm), at the University of Patras. I can say we had a wonderful time there. I met many interesting people, some that I knew from the internet already and some that I didn’t, I attended many interesting talks about topics that I had limited or no knowledge and I also took part in fosswar, a wargames competition that had some quite interesting challenges.

Fosswar was very exciting. There were five challenges (you can get them here if you are interested). People were organized in teams, splitting the 5 challenges between them or collaborating on some of them. When it started, there was no room to sit with my laptop, so I stayed for some time trying to help my friend with the challenge that he started solving (challenge 5, reverse engineering). A little later, some people left, so I thought why not start solving challenge 4 (exploitation), which nobody in my friend’s team had started solving. And so I did…

In this challenge, we were given the source code of a C program that had an exploitable security hole that we had to exploit. The program works like this: Initially, it allocates an array of many “struct bogus”, where “struct bogus” is:

struct bogus {
  size_t magic;
  fptr f;
  char buffer[16];
} bogus_t;

This array is dynamically allocated with mmap() on a predefined memory address (0x80000000). After that, it populates the buffers of all the “struct bogus” with the character ‘M’ (0x4D), the magic numbers with ~0 (0xFFFFFFFF on 32-bit and 0xFFFFFFFFFFFFFFFF on 64-bit) and the function pointers (fptr f) with 0. When everything is initialized, it starts reading from stdin and places whatever it reads on a 1KB buffer on the stack. Then, it copies the contents of the buffer to the 16-byte buffer of a random “struct bogus” in the array and then it iterates over all the “struct bogus” in the array, starting from the second one, verifying that their magic number is still ~0 and executing the function f, if the function pointer f is not null. Ok, this is not the most useful program in the world, it is *made* to be exploited, but well, let’s see how this can be done. Continue reading