Vulnerability Development mailing list archives

Re: buffer overflow question

From: Gerardo Richarte <core.lists.exploit-dev () core-sdi com>
Date: Wed, 05 Dec 2001 06:15:17 -0300

Marshal wrote:

As long as i remember the format strings example files on that page
aren't real format string vuln. but just ordinary buffer overflows.


    They are not buffer overflows...

    The first one is the only one that has a memory copy operation in it (I mean
strcpy, or memcpy, or loop copying, etc). BUT, if you don't know how to use
the format string, you won't be able to do it. You have to solve it to note why
the format string in it is so important, it may be enough to take a look, but actually
doing it is the right way.
    Why did I mixed a buffer overflow with a format string? I don't know,
I just thought it was a good idea to make us think what can be done with
fss.

    gera


/* fs1.c                                                    *
    * specially crafted to feed your brain by gera () core-sdi com */

   /* Don't forget,                                            *
    * more is less,                                            *
    * here's a proof                                           */

   int main(int argv,char **argc) {
           short int zero=0;
           int *plen=(int*)malloc(sizeof(int));
           char buf[256];

           strcpy(buf,argc[1]);
           printf("%s%hn\n",buf,plen);
           while(zero);
   }


   /* fs2.c                                                    *
    * specially crafted to feed your brain by gera () core-sdi com */

   /* Can you tell me what's above the edge?                   */
   int main(int argv,char **argc) {
           char buf[256];

           snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]);
           snprintf(buf,sizeof buf,"%s%c%c%hn",argc[2]);
   }


   /* fs3.c                                                    *
    * specially crafted to feed your brain by riq () core-sdi com  */

   /* Not enough resources?                                    */

   int main(int argv,char **argc) {
           char buf[256];

           snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]);
   }


   /* fs4.c                                                    *
    * specially crafted to feed your brain by gera () core-sdi com */

   /* Have you ever heard about code reusability?              */

   int main(int argv,char **argc) {
           char buf[256];

           snprintf(buf,sizeof buf,"%s%6$hn",argc[1]);
           printf(buf);
   }


   /* fs5.c                                                    *
    * specially crafted to feed your brain by gera () core-sdi com */

   /* go, go, go!                                              */
   int main(int argv,char **argc) {
           char buf[256];
           snprintf(buf,sizeof buf,argc[1]);

                         /* this line'll make your life easier */
   //      printf("%s\n",buf);
   }




--- for a personal reply use: Gerardo Richarte <gera () corest com>

Current thread:

buffer overflow question *jnf (Dec 04)
- Re: buffer overflow question Iván Arce (Dec 04)
  - Re: buffer overflow question Marshal (Dec 05)
    - Re: buffer overflow question Gerardo Richarte (Dec 05)
- Re: buffer overflow question Richard Masoner (Dec 05)
  - RE: buffer overflow question Dr Anish.M (Dec 06)
- <Possible follow-ups>
- Re: buffer overflow question Minchu Mo (Dec 09)
  - Re: Phpnuke Cross site scripting vulnerability (patch) supergate (Dec 09)
  - Re: buffer overflow question Richard Masoner (Dec 10)