Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Format String vulnerabilities]

From: DownBload <downbload () hotmail com>
Date: 23 May 2004 18:53:32 -0000
In-Reply-To: <200405221248.i4MCmwxO081759 () mailserver1 hushmail com>


If you wanna reach your input (AAAA), you must pad stack with few %x, or use direct access with %N$x (N is number for 
element location in memory). 

Example:

[root@laptop TEST]# ./fmt "AAAA%x.%x.%x.%x.%x"
AAAAbffffbbb.400.0.41414141.252e7825
[root@laptop TEST]# 
[root@laptop TEST]# ./fmt "AAAA%4\$x"
AAAA41414141
[root@laptop TEST]# 

As we can see, our input AAAA is in both examples on 4th place, so it *is* on stack :-)

Bye.




Hello vuln-dev,
Query regarding format string vulnerabilities..

 The majority of tutorials give an example of the following form:

(taken from NN-formats.txt [NOP Ninjas - Format String Technique])
fmt1.c ----------------------------------------------------

int main(int argc, char *argv[]) {
 char buf[1024];

 strncpy(buf, argv[1], sizeof(buf));
 printf(argv[1]);          
 printf("\n");
}
------------------------------------------------------------  

sloth@sin$ ./fmt 'AAAA %x'
AAAA 41414141

Surely however the format string *itself* isn't passed on the stack
but a pointer to the format string. therefore the %x modifer would
return a hex representation of the address pointing to the string, *not*
a hex representation of the string contents?

on my linux/i386 system this produes:

root@xpl:~# ./fmt1 'AAAA %x'
AAAA bffffbec

Similarly a printf("AAAA %x"); style format string would print out the
hex representation of the ELF .rodata section address where the string
is stored not any values contained within.

Can anybody clarify all of this?

Much appreciated,
vxpl-





Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Previous By Date Next
Previous By Thread Next

Current thread: