Software Exploitation

Realising that 99% of exploits for a particular class of attacks are identical I've put together a pair of programs to attack common cases.

Clearly not all buffer overflows are identical, but these are two cases I keep coming up against:

• Copying the contents of an environmental variable into a static buffer
• Copying a command line argument into a static buffer.

These two flaws can be exploited in numerous ways - but 99% of the time its a matter of finding a similar exploit and changing the offset + target binary name. Dull. Uninteresting.

Hence these two tools.

env-overflow

The env-overflow tool is designed to automatically exploit vulnerable code which involves copying the contents of an environmental variable into a fixed sized buffer, with no bounds checking.

Vulnerable code looks like this:

void someFunction( )
{
   char buffer[ 256 ];

   ..
   sprintf( buffer, "%s/.foorc", getenv( "HOME" ) );
   ..
}

cmd-overflow

The cmd-overflow tool is designed to automatically exploit vulnerable code which involves copying the contents of a command line argument into a fixed sized buffer.

Vulnerable code typically looks like this:

int main( int argc, char *argv[] )
{
   char buffer[1024];

   ...

   sprintf( buffer, "/etc/%s", argv[ 1 ] );

   ...

   return 1;
}