Vulnerability Development mailing list archives
format strings article
From: Christophe GRENIER <grenier () NEF ESIEA FR>
Date: Fri, 2 Mar 2001 12:49:01 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have written an article about format strings. One more you can think but we think this one is really good ;-) We prove that there is a vulnerability, then we illustrate how to exploit it in a simple vulnerable program. We give a general method to build the format string, far much simple than the one describe in "Format string vulnerability" by P. Bouchareine. This part shows that format string bugs let you write exactly what and where you want in the memory. Finally, we leave the pedagogical and simple exploitations to explain the .dtors overwrite exploitation. Using this, we give a method that works fine also with buffer overflows to get rid of the NOP at the beginning of the eggshell : we can compute precisely the position of the eggshell in the stack. This article is available in French and English : http://www-syntim.inria.fr/fractales/Staff/Raynal/LinuxMag/SecProg/Art4/index.html http://www-syntim.inria.fr/fractales/Staff/Raynal/LinuxMag/SecProg/Art4/index-fr.html The authors - ------------------------------------------------------------------------------- ,-~~-.___. ._. -= GRENIER Christophe =- / | ' \ | |"""""""""| sysadm de nef.esiea.fr ( ) 0 | | | ESIEA \_/-, ,----' | | | Ecole Superieure d'Informatique - ==== !_!--v---v--" Electronique - Automatique / \-'~; |""""""""| / __/~| ._-""|| | Email: grenier () nef esiea fr =( _____|_|____||________| http://www.esiea.fr/public_html/Christophe.GRENIER/ - ------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Pour information voir http://www.gnupg.org iD8DBQE6n4iz0azb9rbxKogRAlcIAJ9FlQxoID4k/XBrpywwcwoe1oXmsgCgiy4P EwGFeb3l+9hsUFUL3oShn3M= =Nvy4 -----END PGP SIGNATURE-----
Current thread:
- format strings article Christophe GRENIER (Mar 02)