Blue Boars question...

[thomas () RELAYGROUP COM (Thomas Dullien)]

Concerning Blue Boars question whether these format string errors are
exploitable: Yes they are.

If you recap what we can do, you'll find out that most format strings we
supply could just pop more stuff off the stack and thus crash the application.
But if you look at the (v/s/n)printf specifications you'll notice one certain
format parameter: "%n"...

"%n" will write the number of bytes written so far into the memory location
pointed to by the corresponding variable on the stack.

How to exploit this:
Usually, you can just try to pop from the stack until the stack points into
your input buffer. You can then write the length of the string written so far
into an arbitrary location (which you supply in the buffer). In order to
overwrite
a full return address, you have to do it repeatedly and overlapping:
(x86 machine is assumed, little endian)

20 00 00 00             First Dword written
20 30 00 00 00  Second Dword written
20 30 40 00 00 00       Third Dword written
20 30 40 50 00 00 00    Last Dword written
The new return address is now 0x50403020

If you only have a small buffer to print into (if you're for example limited by
snprintf() or the fact that on BSD the vsnprintf-buffer will not be longer than
512 bytes) then your patched dword should be in "descending order", meaning
the highest-order byte should be the highest number by quite a bit and so
on. If you have a lot of room (like on linux or under NT) you can basically
just use big paddings (%200x) or whatever to get the written dword to have
the value you want.

This is not hard to exploit. Format strings are a very real danger. They
will provide us with leet 0-day sploits for the next few weeks I assume :))

Greets,
Thomas Dullien
Win32 "Security" Researcher