Vulnerability Development mailing list archives
Blue Boars question...
From: thomas () RELAYGROUP COM (Thomas Dullien)
Date: Wed, 5 Jul 2000 12:13:19 +0700
Concerning Blue Boars question whether these format string errors are exploitable: Yes they are. If you recap what we can do, you'll find out that most format strings we supply could just pop more stuff off the stack and thus crash the application. But if you look at the (v/s/n)printf specifications you'll notice one certain format parameter: "%n"... "%n" will write the number of bytes written so far into the memory location pointed to by the corresponding variable on the stack. How to exploit this: Usually, you can just try to pop from the stack until the stack points into your input buffer. You can then write the length of the string written so far into an arbitrary location (which you supply in the buffer). In order to overwrite a full return address, you have to do it repeatedly and overlapping: (x86 machine is assumed, little endian) 20 00 00 00 First Dword written 20 30 00 00 00 Second Dword written 20 30 40 00 00 00 Third Dword written 20 30 40 50 00 00 00 Last Dword written The new return address is now 0x50403020 If you only have a small buffer to print into (if you're for example limited by snprintf() or the fact that on BSD the vsnprintf-buffer will not be longer than 512 bytes) then your patched dword should be in "descending order", meaning the highest-order byte should be the highest number by quite a bit and so on. If you have a lot of room (like on linux or under NT) you can basically just use big paddings (%200x) or whatever to get the written dword to have the value you want. This is not hard to exploit. Format strings are a very real danger. They will provide us with leet 0-day sploits for the next few weeks I assume :)) Greets, Thomas Dullien Win32 "Security" Researcher
Current thread:
- Blue Boars question... Thomas Dullien (Jul 04)
- Re: Blue Boars question... Gerardo Richarte (Jul 10)
- Probally Bug in latest Bind : remote overwrite dns table entries Gerrie (Jul 10)
- Re: Probally Bug in latest Bind : remote overwrite dns table entries Rodrick Brown (Jul 11)
- Re: Blue Boars question... Thomas Dullien (Jul 10)
- format-string exploit under Wndows? Tomasz Grabowski (Jul 11)
- Re: format-string exploit under Wndows? Bluefish (Jul 13)
- Re: format-string exploit under Wndows? Slawek (Jul 13)
- Re: format-string exploit under Wndows? Bluefish (Jul 17)
- Probally Bug in latest Bind : remote overwrite dns table entries Gerrie (Jul 10)
- Re: Blue Boars question... Gerardo Richarte (Jul 10)