In analyzing this code, note that the entire environ field is optional, but skipping
itwouldn??™t be any fun for us. The problem in the code results from the fact that the while
loop that processes each new environment string fails to do any bounds checking on the
counter i, but the declaration of envstrings only allocates space for 16 pointers. If more
than 16 environment strings are provided, the variables below the envstrings array on
the stack will start to get overwritten. We have the makings of a buffer overflow at this
point, but the question becomes: ???Can we reach the saved return address???? Performing
some quick math tells us that there are about 67600 bytes of stack space between the
envstrings array and the saved frame pointer/saved return address. Since each member
of the envstrings array occupies 4 bytes, if we add 67600/4 = 16900 additional environment
strings to our input packet, the pointers to those strings will overwrite all of the
stack space up to the saved frame pointer.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
288
Two additional environment strings will give us an overwrite of the frame pointer
and the return address. How can we include 16918 environment strings if the form key=
value is in our packet? If a minimal environment string, say x=y, consumes 4 bytes
counting the trailing space, then it would seem that our input packet needs to accommodate
67672 bytes of environment strings alone.
Pages:
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523