Vulnerability Development mailing list archives
Re: [Vuln-dev Challenge] Challenge #2
From: "Janus N." Tøndering <janus () bananus dk>
Date: 28 May 2003 01:11:39 +0200
On Tue, 2003-05-27 at 23:03, Robert Hogan wrote:
We want to set (overflow) the bfp pointer with the address of the printf command. We subtract two because the db.log file starts with two ';;'. These will then be written two bytes before printf code starts --- corrupting whatever is there (but we really don't care about that).One (hopefully final) request for clarification: when fgets finds bfp (with the address of printf there) it jumps to printf and executes the value in bfp (which is now shellcode)??? Is this correct?
We overwrite the bfp pointer (which is stored on the stack) at the strcpy(buf, argv[1]) line. Now bfp points to printf function - 2. fgets will then read BFSIZE bytes from db.log and write them to the memory that bfp points to (address of printf minus 2).
I still don't really get the printf_got -2 thing. I would have thought that if printf is at a given address, changing that address would point to something else that is not the printf command! Obviously not, but I don't understand how.
If you take a look at fprintf(f1, ";;%s;;", argv[2]); you see, that the first two bytes of db.log will be ';;'. We don't want ';;' to overwrite the printf function so that is why we subtract 2 (then we will overwrite something else ... but we really do not care. We won't need it). Hope this makes it clear. Regards, Janus -- Janus N. Tøndering <janus () bananus dk>
Current thread:
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER), (continued)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jason_Royes (May 24)
- [Vuln-dev Challenge] nonexec stack&heap solution (encrypted) Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 anon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 spacewalker (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Robert Hogan (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Gera's Insecure Programing abo7 sin (May 30)
- N00b questions :\ Diode Trnasistor (May 24)
- Re: N00b questions :\ Janus N. (May 24)
- Re: N00b questions :\ northern snowfall (May 24)
- Re: N00b questions :\ Janus N. (May 24)
- Re: N00b questions :\ northern snowfall (May 24)
- Re: N00b questions :\ Diode Trnasistor (May 25)