buffer overflow in igmpPacketKind

[miorakun]

In this function, the value of type and code is controlled by the attacker and he can increase the two values ​​to 16 bytes by sending two values ​​of 8 bytes.

static const char *igmpPacketKind(unsigned int type, unsigned int code) {
    static char unknown[20];

    switch (type) {
    case IGMP_MEMBERSHIP_QUERY:     return  "Membership query  ";
    case IGMP_V1_MEMBERSHIP_REPORT:  return "V1 member report  ";
    case IGMP_V2_MEMBERSHIP_REPORT:  return "V2 member report  ";
    case IGMP_V3_MEMBERSHIP_REPORT:  return "V3 member report  ";
    case IGMP_V2_LEAVE_GROUP:        return "Leave message     ";

    default:
        sprintf(unknown, "unk: 0x%02x/0x%02x    ", type, code);
        return unknown;
    }
}

In sprintf, we can see that the value of the string plus several spaces and the value of unk and etc... are stored in the buffer, and when all of them are added together, the value of len 30 is stored in the buffer.

Canary can be overwritten

*** buffer overflow detected ***: terminated
[1]    4235 IOT instruction  ./igmpproxy_example

igmpproxy_example.c

#include <stdio.h>

int main() {
    unsigned int code = 0x41414134141;
    unsigned int type = 0xfffffffff;
    char a[20];
    sprintf(a, "unk: 0x%02x/0x%02x    ", type, code);
    printf("%i\n",strlen(a));
    printf(a);
    return 0;
}

compile:

gcc -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -fPIE -pie -Wl,-z,relro,-z,now -o igmpproxy_example igmpproxy_example.c