|
Vulnerability Development
mailing list archives
Blue Boars question...
From: thomas () RELAYGROUP COM (Thomas Dullien)
Date: Wed, 5 Jul 2000 12:13:19 +0700
Concerning Blue Boars question whether these format string errors are
exploitable: Yes they are.
If you recap what we can do, you'll find out that most format strings we
supply could just pop more stuff off the stack and thus crash the application.
But if you look at the (v/s/n)printf specifications you'll notice one certain
format parameter: "%n"...
"%n" will write the number of bytes written so far into the memory location
pointed to by the corresponding variable on the stack.
How to exploit this:
Usually, you can just try to pop from the stack until the stack points into
your input buffer. You can then write the length of the string written so far
into an arbitrary location (which you supply in the buffer). In order to
overwrite
a full return address, you have to do it repeatedly and overlapping:
(x86 machine is assumed, little endian)
20 00 00 00 First Dword written
20 30 00 00 00 Second Dword written
20 30 40 00 00 00 Third Dword written
20 30 40 50 00 00 00 Last Dword written
The new return address is now 0x50403020
If you only have a small buffer to print into (if you're for example limited by
snprintf() or the fact that on BSD the vsnprintf-buffer will not be longer than
512 bytes) then your patched dword should be in "descending order", meaning
the highest-order byte should be the highest number by quite a bit and so
on. If you have a lot of room (like on linux or under NT) you can basically
just use big paddings (%200x) or whatever to get the written dword to have
the value you want.
This is not hard to exploit. Format strings are a very real danger. They
will provide us with leet 0-day sploits for the next few weeks I assume :))
Greets,
Thomas Dullien
Win32 "Security" Researcher
 By Date 
By Thread
Current thread:
- Blue Boars question... Thomas Dullien (Jul 04)
|
Intro
