99% of the time when you discover a security problem in a program documenting it is sufficient for your report to be read, understood and accepted.
However there are times when somebody will be skeptical of a report, and on those times having a working script to exploit a weakness will focus their attention.
Many of the earlier problems I reported fell into two simple classes:
- Missing bounds checks on environment variable usage.
- Missing bounds checks when copying command line arguments.
Rather than code exploits for each particular target I came up with a generic approach, two command line tools which would attempt to exploit these problems in a simple fashion.
If you would like more details I'd suggest reading Smashing the stack for fun & profit.
The cmd-overflow tool is designed to automatically exploit vulnerable code which involves copying the contents of a command line argument into a fixed sized buffer.
Vulnerable code typically looks like this:
int main( int argc, char *argv[] ) { char buffer[1024]; ... sprintf( buffer, "/etc/%s", argv[ 1 ] ); ... return 1; }
The env-overflow tool is designed to automatically exploit vulnerable code which involves copying the contents of an environmental variable into a fixed sized buffer, with no bounds checking.
Vulnerable code looks like this:
void someFunction( ) { char buffer[ 256 ]; .. sprintf( buffer, "%s/.foorc", getenv( "HOME" ) ); .. }