Vulnerability Development mailing list archives
Re: buffer overflow question
From: Gerardo Richarte <core.lists.exploit-dev () core-sdi com>
Date: Wed, 05 Dec 2001 06:15:17 -0300
Marshal wrote:
As long as i remember the format strings example files on that page aren't real format string vuln. but just ordinary buffer overflows.
They are not buffer overflows... The first one is the only one that has a memory copy operation in it (I mean strcpy, or memcpy, or loop copying, etc). BUT, if you don't know how to use the format string, you won't be able to do it. You have to solve it to note why the format string in it is so important, it may be enough to take a look, but actually doing it is the right way. Why did I mixed a buffer overflow with a format string? I don't know, I just thought it was a good idea to make us think what can be done with fss. gera /* fs1.c * * specially crafted to feed your brain by gera () core-sdi com */ /* Don't forget, * * more is less, * * here's a proof */ int main(int argv,char **argc) { short int zero=0; int *plen=(int*)malloc(sizeof(int)); char buf[256]; strcpy(buf,argc[1]); printf("%s%hn\n",buf,plen); while(zero); } /* fs2.c * * specially crafted to feed your brain by gera () core-sdi com */ /* Can you tell me what's above the edge? */ int main(int argv,char **argc) { char buf[256]; snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]); snprintf(buf,sizeof buf,"%s%c%c%hn",argc[2]); } /* fs3.c * * specially crafted to feed your brain by riq () core-sdi com */ /* Not enough resources? */ int main(int argv,char **argc) { char buf[256]; snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]); } /* fs4.c * * specially crafted to feed your brain by gera () core-sdi com */ /* Have you ever heard about code reusability? */ int main(int argv,char **argc) { char buf[256]; snprintf(buf,sizeof buf,"%s%6$hn",argc[1]); printf(buf); } /* fs5.c * * specially crafted to feed your brain by gera () core-sdi com */ /* go, go, go! */ int main(int argv,char **argc) { char buf[256]; snprintf(buf,sizeof buf,argc[1]); /* this line'll make your life easier */ // printf("%s\n",buf); } --- for a personal reply use: Gerardo Richarte <gera () corest com>
Current thread:
- buffer overflow question *jnf (Dec 04)
- Re: buffer overflow question Iván Arce (Dec 04)
- Re: buffer overflow question Marshal (Dec 05)
- Re: buffer overflow question Gerardo Richarte (Dec 05)
- Re: buffer overflow question Marshal (Dec 05)
- Re: buffer overflow question Richard Masoner (Dec 05)
- RE: buffer overflow question Dr Anish.M (Dec 06)
- <Possible follow-ups>
- Re: buffer overflow question Minchu Mo (Dec 09)
- Re: Phpnuke Cross site scripting vulnerability (patch) supergate (Dec 09)
- Re: buffer overflow question Richard Masoner (Dec 10)
- Re: buffer overflow question Iván Arce (Dec 04)