Vulnerability Development mailing list archives
about Format Strings
From: faxrazor () FASTMAIL CA
Date: Fri, 13 Oct 2000 18:11:12 -0000
I am a beginner in the field of exploiting but and recently read "Format String Attacks" by Tim Newsham. The article gave examples and descriptions on many aspects of exploiting a format string. It however left out how one would go about finding the EIP/return address so that we could change the value to our liking. I searched everywhere on bugtraq and irc without a good answer so decided to post here. #include <stdio.h> int main(int argc, char **argv) { char buf[100]; int x; if(argc != 2) exit(1); x = 1; snprintf(buf, sizeof buf, argv[1]); buf[sizeof buf - 1] = 0; printf("buffer (%d): %s\n", strlen(buf), buf); printf("x is %d/%#x (@ %p)\n", x, x, &x); return 0; } The above is the code from the tutorial. I was wondering exactly how one would go about using gdb to find the return address so that one might insert in the above to cause a segmenation fault (for example overwrite the EIP with a given number like 0x1 or something just). From here I understand what goes on. Just getting the ret addy is problem. Any advice and/or examples is appreciated. Also can someone show an example of how you would go about passing address to write twice to an address to possibly change the value of integer x to 2 or something less than 4? thanks Thanks.
Current thread:
- about Format Strings faxrazor (Oct 13)