Re: Help, problems finding addresses with format strings

[Vade 79 <v9 () fakehalo deadpig org>]

In-Reply-To: <20040219132347.GA26946@x0riguer>

the idea is to use the data in the(any) buffer you can write to as a user in conjunction with %n/etc formatting...you 
do not need to know the location of the buffer(vuln[1024]) you are using in this case, but you do need a location to 
write to(new memory address, anywheres in memory)...you usually will want to use %n/etc to overwrite GOT(global offset 
table) function addresses or .dtors...which will give you control of the program. so basically you use %x's, when 
testing, until you see the actual data in vuln[1024]...in your case it appears to be 4...just to get you on the right 
track, there are several how-to's out there.. google has many informative responses.

(by %n i really mean %hn, you will usually need to use half numbers and overwrite the address in two 16bit(2 
charactars) parts...this is the popular method used for generic format bugs)

...sorry for my bad english, but i'm american :P


> Hello,
>
> Having some experience with BOF, i decided to read some docs about format
> strings vulnerabilities, but... my surprise is that, by any reason, i can't
> find anything seemed to this doc, i'd like some experience to help me. 
> My system is a Debian/GNULinux sid with gcc 3.3.3
>
> Look at this simple (aparently) code:
>
> ---
>
> #include <stdio.h> 
> #include <string.h>
> #include <unistd.h>
> main () {
> char vuln[1024];
> bzero(vuln,1024);
> printf("vuln program\n\n");
> printf("enter some string:");
> fflush(stdout);
> read(0,vuln,1024);
> printf(vuln);
> }
>
> ---
>
> We compile it and execute it...
>
> When program asks for string, we want to guess stack region...
>
> enter some string:%x %x %x %x
> bffff4d0 400 2 25207825
>
> - This addresses are: 
>
> [x0riguer]:~/Projects/fstrings$ gdb -q ./fsvuln 
> (gdb) disas main
> Dump of assembler code for function main:
> 0x08048424 <main+0>:    push   %ebp
> 0x08048425 <main+1>:    mov    %esp,%ebp
> 0x08048427 <main+3>:    sub    $0x418,%esp
> ...
> ...
> 0x08048499 <main+117>:  call   0x8048328
> 0x0804849e <main+122>:  leave  
> 0x0804849f <main+123>:  ret    
> End of assembler dump.
> (gdb) break *0x08048499
> Breakpoint 2 at 0x8048499: file fsvuln.c, line 16.
> (gdb) r
> Starting program: /home/yeyu/Projects/fstrings/fsvuln 
> vuln program
>
> enter some string:%x %x %x %x
>
> Breakpoint 2, 0x08048499 in main () at fsvuln.c:16
> 16      printf(vuln);
> (gdb) x/10wx $esp
> 0xbffff4c0:     0xbffff4d0      0xbffff4d0      0x00000400      0x00000002
> 0xbffff4d0:     0x25207825      0x78252078      0x0a782520      0x00000000
> 0xbffff4e0:     0x00000000      0x00000000
>
> ...
> * If we can guess the string of 0xbffff4d0 ...
> ...
>
> (gdb) x/s 0xbffff4d0
> 0xbffff4d0:      "%x %x %x %x\n"
>
> Now ... i think where the char vuln[1024] starts, in 0xbffff4d0 no?, i want to
> overwrite this buffer and theorically overwrite main ret address by other.
>
> 1- How can I guess (theorically and practically) this ret address in the stack ? (i think is in stack)
> 2- When i have the value of the ret address, i think i have to overwrite by
> techniques like %8x and %n, isn't it?
>
> Help me to solve this problem please...
>
> Thank you
>
> -- 
>
> =-------------------------------------------------=
> **        yn0          [yeyuno () bigfoot com]  **
> =------[ echo "\$0&\$0">_;chmod +x _;./_ ]--------=