Vulnerability Development mailing list archives
Re: [Vuln-dev Challenge] Challenge #2
From: Robert Hogan <robert () roberthogan net>
Date: Tue, 27 May 2003 22:03:18 +0100
On Monday 26 May 2003 16:59, Janus N. wrote:
## ...MEDIC! what is this? What are you doin? ## WHY are you doing it? omg halp! ## Asigning the adress of printf_got-2 to ## to the adress pointed to by p?*((void**)p) = (void*)(printf_got - 2); /* to avoidWe want to set (overflow) the bfp pointer with the address of the printf command. We subtract two because the db.log file starts with two ';;'. These will then be written two bytes before printf code starts --- corrupting whatever is there (but we really don't care about that).
One (hopefully final) request for clarification: when fgets finds bfp (with the address of printf there) it jumps to printf and executes the value in bfp (which is now shellcode)??? Is this correct? I still don't really get the printf_got -2 thing. I would have thought that if printf is at a given address, changing that address would point to something else that is not the printf command! Obviously not, but I don't understand how.
/* calculate address of shellcode. Assumes fixed stack-base and Linux os */## few questions on this one. ## where did you get the 0xbffffffa? ## also how did you get it. ## Why are we subtracting the lenght of ## the name of the vulnerable program from it? ## And worse yet we're subtracting the lenght ## of the shellcode from that, so now i'm ## really lost. I'm inclined to think this ## has something to do with the environment. ## but i can't for the life of me figure out ## what.saddr = 0xbffffffa - strlen(victim) - strlen(shellcode);Take a look at Murat's: Buffer overflows de mystified: http://www.enderunix.org/docs/eng/bof-eng.txt## ok make argv2 point to value of saddr.*((char**)arg2) = (char *)(saddr); printf("[i] shellcode is at 0x%08x\n", saddr); printf("[i] printf GOT is 0x%08x\n", printf_got); printf("[i] using 0x%08x as GOT\n", printf_got - 2);Hope this helps. Regards, Janus
Current thread:
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER), (continued)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jason_Royes (May 24)
- [Vuln-dev Challenge] nonexec stack&heap solution (encrypted) Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 anon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 spacewalker (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Robert Hogan (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Gera's Insecure Programing abo7 sin (May 30)
- N00b questions :\ Diode Trnasistor (May 24)
- Re: N00b questions :\ Janus N. (May 24)
- Re: N00b questions :\ northern snowfall (May 24)
- Re: N00b questions :\ Janus N. (May 24)
- Re: N00b questions :\ northern snowfall (May 24)
- Re: N00b questions :\ Diode Trnasistor (May 25)