Vulnerability Development mailing list archives
format-string exploit under Wndows?
From: cadence () APOLLO ACI COM PL (Tomasz Grabowski)
Date: Tue, 11 Jul 2000 17:52:33 +0200
Hello.
I wondering if there is possibility to exploit that "user-supplied format
string error" under Windows.
Let's look at the package "make" source code.
In file main.c in section #ifdef WINDOWS32 (about line number 500) we can
find the following:
LPSTR cmdline = GetCommandLine();
LPSTR prg = strtok(cmdline, " ");
CHAR errmsg[1024];
[...]
sprintf(errmsg, _("%s: Interrupt/Exception caugh "), prg);
[...]
fprintf(stderr, errmsg);
First of all I'm not sure how exactly works that 'LPSTR', but I think
it can be an unlimited-lenght string.
Nice sprintf().
No matter...
The important for me is fprintf() without proper format string.
So is it possible to exploit that vulnerbility in fprintf() by putting
some evil code to 'prg' ? Assuming it is less than 1024 because of buffer
overflow in sprintf() :)
Someone has tried something like this with his own Windows?
Hints?
___
{Tomasz Grabowski} (cadence () aci com pl) [Akademickie Centrum Informatyki]
Current thread:
- Blue Boars question... Thomas Dullien (Jul 04)
- Re: Blue Boars question... Gerardo Richarte (Jul 10)
- Probally Bug in latest Bind : remote overwrite dns table entries Gerrie (Jul 10)
- Re: Probally Bug in latest Bind : remote overwrite dns table entries Rodrick Brown (Jul 11)
- Re: Blue Boars question... Thomas Dullien (Jul 10)
- format-string exploit under Wndows? Tomasz Grabowski (Jul 11)
- Re: format-string exploit under Wndows? Bluefish (Jul 13)
- Re: format-string exploit under Wndows? Slawek (Jul 13)
- Re: format-string exploit under Wndows? Bluefish (Jul 17)
- Probally Bug in latest Bind : remote overwrite dns table entries Gerrie (Jul 10)
- Re: Blue Boars question... Gerardo Richarte (Jul 10)