Vulnerability Development mailing list archives

Re: [Vuln-dev Challenge] Challenge #2

From: Robert Hogan <robert () roberthogan net>
Date: Tue, 27 May 2003 22:03:18 +0100

On Monday 26 May 2003 16:59, Janus N. wrote:


        ## ...MEDIC! what is this?  What are you doin?
        ## WHY are you doing it? omg halp!
        ## Asigning the adress of printf_got-2 to
        ## to the adress pointed to by p?

  *((void**)p) = (void*)(printf_got - 2); /* to avoid


We want to set (overflow) the bfp pointer with the address of the printf
command. We subtract two because the db.log file starts with two ';;'.
These will then be written two bytes before printf code starts ---
corrupting whatever is there (but we really don't care about that).


One (hopefully final)  request for clarification:

when fgets finds bfp (with the address of printf there) it jumps to printf and 
executes the value in bfp (which is now shellcode)???

Is this correct?

I still don't really get the printf_got -2 thing. I would have thought that if 
printf is at a given address, changing that address would point to something 
else that is not the printf command! Obviously not, but I don't understand 
how.

  /* calculate address of shellcode. Assumes fixed
stack-base
           and Linux os */


        ## few questions on this one.
        ## where did you get the 0xbffffffa?
        ## also how did you get it.
        ## Why are we subtracting the lenght of
        ## the name of the vulnerable program from it?
        ## And worse yet we're subtracting the lenght
        ## of the shellcode from that, so now i'm
        ## really lost.  I'm inclined to think this
        ## has something to do with the environment.
        ## but i can't for the life of me figure out
        ## what.

  saddr = 0xbffffffa - strlen(victim) -
strlen(shellcode);


Take a look at Murat's: Buffer overflows de mystified:
http://www.enderunix.org/docs/eng/bof-eng.txt

        ## ok make argv2 point to value of saddr.

  *((char**)arg2) = (char *)(saddr);

  printf("[i] shellcode is at 0x%08x\n", saddr);
  printf("[i] printf GOT is 0x%08x\n", printf_got);
  printf("[i] using 0x%08x as GOT\n", printf_got -
2);


Hope this helps.

Regards,
Janus

Current thread:

Re: [Vuln-dev Challenge] Challenge #2 (SPOILER), (continued)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
  - Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jason_Royes (May 24)
- [Vuln-dev Challenge] nonexec stack&heap solution (encrypted) Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 anon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 spacewalker (May 24)
  - Re: [Vuln-dev Challenge] Challenge #2 Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 24)
  - Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
    - Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 26)
    - Re: [Vuln-dev Challenge] Challenge #2 Robert Hogan (May 30)
    - Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 30)
  - Gera's Insecure Programing abo7 sin (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 (return-to-libc) Joel Eriksson (May 25)
- Re: [Vuln-dev Challenge] Challenge #2 D. (May 24)
  - N00b questions :\ Diode Trnasistor (May 24)
    - Re: N00b questions :\ Janus N. (May 24)
    - Re: N00b questions :\ northern snowfall (May 24)
    - Re: N00b questions :\ Janus N. (May 24)
    - Re: N00b questions :\ northern snowfall (May 24)
    - Re: N00b questions :\ Diode Trnasistor (May 25)

(Thread continues...)