Vulnerability Development mailing list archives
Re: format-string exploit under Wndows?
From: dullien () GMX DE (Thomas Dullien)
Date: Wed, 12 Jul 2000 11:04:12 +0700
At 05:52 PM 7/11/2000 +0200, you wrote:
LPSTR cmdline = GetCommandLine(); LPSTR prg = strtok(cmdline, " "); CHAR errmsg[1024]; [...] sprintf(errmsg, _("%s: Interrupt/Exception caugh "), prg); [...] fprintf(stderr, errmsg);
(..)
The important for me is fprintf() without proper format string. So is it possible to exploit that vulnerbility in fprintf() by putting some evil code to 'prg' ? Assuming it is less than 1024 because of buffer overflow in sprintf() :)
I don't see why this should not be exploitable. I doubt you can gain anything from exploiting it though as you're invoking it and the thing will run in your security context. If you want to send me a binary of the prog so I can have a look, go ahead :)
Current thread:
- Re: format-string exploit under Wndows? Thomas Dullien (Jul 11)