Vulnerability Development mailing list archives

Help, problems finding addresses with format strings

From: YeYu <yeyuno () bigfoot com>
Date: Thu, 19 Feb 2004 14:23:48 +0100

Hello,

Having some experience with BOF, i decided to read some docs about format
strings vulnerabilities, but... my surprise is that, by any reason, i can't
find anything seemed to this doc, i'd like some experience to help me. 
My system is a Debian/GNULinux sid with gcc 3.3.3

Look at this simple (aparently) code:

---

#include <stdio.h> 
#include <string.h>
#include <unistd.h>
main () {
char vuln[1024];
bzero(vuln,1024);
printf("vuln program\n\n");
printf("enter some string:");
fflush(stdout);
read(0,vuln,1024);
printf(vuln);
}

---

We compile it and execute it...

When program asks for string, we want to guess stack region...

enter some string:%x %x %x %x
bffff4d0 400 2 25207825

- This addresses are: 

[x0riguer]:~/Projects/fstrings$ gdb -q ./fsvuln 
(gdb) disas main
Dump of assembler code for function main:
0x08048424 <main+0>:    push   %ebp
0x08048425 <main+1>:    mov    %esp,%ebp
0x08048427 <main+3>:    sub    $0x418,%esp
...
...
0x08048499 <main+117>:  call   0x8048328
0x0804849e <main+122>:  leave  
0x0804849f <main+123>:  ret    
End of assembler dump.
(gdb) break *0x08048499
Breakpoint 2 at 0x8048499: file fsvuln.c, line 16.
(gdb) r
Starting program: /home/yeyu/Projects/fstrings/fsvuln 
vuln program

enter some string:%x %x %x %x

Breakpoint 2, 0x08048499 in main () at fsvuln.c:16
16      printf(vuln);
(gdb) x/10wx $esp
0xbffff4c0:     0xbffff4d0      0xbffff4d0      0x00000400      0x00000002
0xbffff4d0:     0x25207825      0x78252078      0x0a782520      0x00000000
0xbffff4e0:     0x00000000      0x00000000

...
* If we can guess the string of 0xbffff4d0 ...
...

(gdb) x/s 0xbffff4d0
0xbffff4d0:      "%x %x %x %x\n"

Now ... i think where the char vuln[1024] starts, in 0xbffff4d0 no?, i want to
overwrite this buffer and theorically overwrite main ret address by other.

1- How can I guess (theorically and practically) this ret address in the stack ? (i think is in stack)
2- When i have the value of the ret address, i think i have to overwrite by
techniques like %8x and %n, isn't it?

Help me to solve this problem please...

Thank you
 
-- 

=-------------------------------------------------=
**        yn0           [yeyuno () bigfoot com]  **
=------[ echo "\$0&\$0">_;chmod +x _;./_ ]--------=

Current thread:

Help, problems finding addresses with format strings YeYu (Feb 19)
- <Possible follow-ups>
- Re: Help, problems finding addresses with format strings Vade 79 (Feb 20)
- Re: Help, problems finding addresses with format strings Marco Ivaldi (Feb 20)