Re: Help, problems finding addresses with format strings

[Marco Ivaldi <raptor () 0xdeadbeef info>]

> Hello,
>
> Having some experience with BOF, i decided to read some docs about
> format strings vulnerabilities, but... my surprise is that, by any
> reason, i can't find anything seemed to this doc, i'd like some
> experience to help me. My system is a Debian/GNULinux sid with gcc 3.3.3

Hi,

I strongly suggest you the reading of the excellent format string tutorial
by scut. You can find it at:

http://www.team-teso.net/articles/formatstring/

> Look at this simple (aparently) code:

[snip]

> Now ... i think where the char vuln[1024] starts, in 0xbffff4d0 no?, i
> want to overwrite this buffer and theorically overwrite main ret address
> by other.

Usually, format strings vulnerabilities can be turned in a "overwrite (at
least) an arbitrary address in memory" primitive. So, probably your best
choice is to overwrite the first function pointer inside the .dtors
section, the __deregister_frame_info, or some other entries in .got. Those
addresses are easier to locate than the classical main() retloc.

> 1- How can I guess (theorically and practically) this ret address in the
> stack ? (i think is in stack)
> 2- When i have the value of the ret address, i think i have to overwrite
> by techniques like %8x and %n, isn't it?
>
> Help me to solve this problem please...

Find attached an example exploit for your vulnerable program. The code is
well commented and should be self-explanatory. You may also want to look
at my collection of vulnerable code and related exploits, available at:

http://www.0xdeadbeef.info/code/misc-exploits.tgz

Cheers,

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707

Attachment: fmt-ex.c
Description: