OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: koules buffer overflows
From: Robert (kotzFLASH.NET)
Date: Fri Apr 21 2000 - 10:35:40 CDT


Before I start I feel that I should warn you that I'm not terribly
experienced with BOF's and so this will be as much as a question session
as it is a report of bugs.

Last night I did some VERY limited searching through koules v. 1.4 (so
don't think that these two cases are the only two in the code.) and I
found two things that are kinda interesting.

Bug 1.) In the file init.c (located in the svgalib directory of the
koules source.) there is what seems to be a blatant, classic overflow.
The problem is when it parses the -C command line option, it just does a
blind strcpy(). Here's a snippet:

client.h: extern char servername[256];

svgalib/init.c: #include <../client.h>
                            ...
                            case 'C':
                                    strcpy(servername, optarg);
                                    client = 1;
                                    break;

Ok, so koules -C `perl -e 'print "A" x 300'` should seg fault it right?
No. After just playing around with numbers, 2160 is the lowest it takes
to cause a seg fault, however, I can't make it overwrite the EIP.
The seg fault is obviously happening in strcpy() and gdb confirms that,
but every time it seg faults, the
EIP is always 0x400d331f (at least on my box.) So my questions here are
why isn't this overwriting the
EIP with A's? Can this be overwritten or is there something I've missed
out of inexperience? Any help
would be greatly appreciated.

bug 2.) The next problem (or at least I think it's a problem) that I
found is in the file koules.sndsrv.linux.c
I haven't looked in the other *.sndsrv.* files but I would assume that
something similar exists. This time,
instead of a strcpy, it's a strcat but there are some interesting
hurdles which make me wonder how this
would be exploited. Let me show a snippet, then explain what I mean.

koules.sndsrv.linux.c: void init(int argc, char **argv) {

                                                           char s[1024];

                                                            ...
                                                            s[0] = 0;
                                                            strcat(s,
argv[1]);

Once again, this seems really trivial, but it's a bit more complicated.
the function init is later called in the
function main() of the same file (koules.sndsrv.linux.c) however, that
function main is not the only main.
in svgalib/init.c the function main() is the one that runs and I haven't
been able to see where in the hell
the OTHER main is called from, or for that matter where any of the
functions of that file are called from.
So as far as this one goes, I have no clue on how to make it overflow.
Once again, any help would be great.

-- Robert Kotz