Re: [Vuln-dev Challenge] Challenge #2

["Janus N." Tøndering <janus () bananus dk>]

On Tue, 2003-05-27 at 23:03, Robert Hogan wrote:
> > We want to set (overflow) the bfp pointer with the address of the printf
> > command. We subtract two because the db.log file starts with two ';;'.
> > These will then be written two bytes before printf code starts ---
> > corrupting whatever is there (but we really don't care about that).
>
> One (hopefully final)  request for clarification:
>
> when fgets finds bfp (with the address of printf there) it jumps to printf and 
> executes the value in bfp (which is now shellcode)???
>
> Is this correct?
We overwrite the bfp pointer (which is stored on the stack) at the
strcpy(buf, argv[1]) line. Now bfp points to printf function - 2. fgets
will then read BFSIZE bytes from db.log and write them to the memory
that bfp points to (address of printf minus 2).

> I still don't really get the printf_got -2 thing. I would have thought that if 
> printf is at a given address, changing that address would point to something 
> else that is not the printf command! Obviously not, but I don't understand 
> how. 
If you take a look at 
fprintf(f1, ";;%s;;", argv[2]);
you see, that the first two bytes of db.log will be ';;'. We don't want
';;' to overwrite the printf function so that is why we subtract 2 (then
we will overwrite something else ... but we really do not care. We won't
need it).

Hope this makes it clear.

Regards,
Janus
-- 
Janus N. Tøndering <janus () bananus dk>