Re: format-string exploit under Wndows?

[dullien () GMX DE (Thomas Dullien)]

At 05:52 PM 7/11/2000 +0200, you wrote:

>  LPSTR cmdline = GetCommandLine();
>  LPSTR prg = strtok(cmdline, " ");
>  CHAR errmsg[1024];
> [...]
> sprintf(errmsg, _("%s: Interrupt/Exception caugh "), prg);
> [...]
> fprintf(stderr, errmsg);
(..)
> The important for me is fprintf() without proper format string.
> So is it possible to exploit that vulnerbility in fprintf() by putting
> some evil code to 'prg' ? Assuming it is less than 1024 because of buffer
> overflow in sprintf() :)

I don't see why this should not be exploitable. I doubt you can gain
anything from exploiting it though as you're invoking it and the
thing will run in your security context.
If you want to send me a binary of the prog so I can have a look,
go ahead :)