The sprintf() call we
are looking at decompiles into the following C statement:
sprintf(cmd,
"find %s -name \"%s\" -exec grep -H -n %s \\{\\} \\; > %s",
init_cwd, filename, keyword, outf);
We will cheat a bit here and rely on our earlier analysis of the find.c source code to
remember that the filename and keyword parameters are pointers to user-supplied
strings from an incoming UDP packet. Long strings supplied to either filename or keyword
should get us a buffer overflow. Without access to the source code, we would need
to determine where each of the four string parameters obtains its value. This is simply a
matter of doing a little additional tracing through the manage_request() function.
Exactly how long does a filename need to be to overwrite the saved return address? The
answer is somewhat less than the 1552 bytes mentioned earlier, because there are output
characters sent to the cmd buffer prior to the filename parameter. The format string
itself contributes 13 characters prior to writing the filename into the output buffer, and
the init_cwd string also precedes the filename. The following code from elsewhere in
manage_request () shows how init_cwd gets populated:
.text:08049A12 push 1024
.text:08049A17 lea eax, [ebp+init_cwd]
.
Pages:
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544