|
Vulnerability Development
mailing list archives
Re: Help, problems finding addresses with format strings
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Fri, 20 Feb 2004 11:46:22 +0100 (CET)
Hello,
Having some experience with BOF, i decided to read some docs about
format strings vulnerabilities, but... my surprise is that, by any
reason, i can't find anything seemed to this doc, i'd like some
experience to help me. My system is a Debian/GNULinux sid with gcc 3.3.3
Hi,
I strongly suggest you the reading of the excellent format string tutorial
by scut. You can find it at:
http://www.team-teso.net/articles/formatstring/
Look at this simple (aparently) code:
[snip]
Now ... i think where the char vuln[1024] starts, in 0xbffff4d0 no?, i
want to overwrite this buffer and theorically overwrite main ret address
by other.
Usually, format strings vulnerabilities can be turned in a "overwrite (at
least) an arbitrary address in memory" primitive. So, probably your best
choice is to overwrite the first function pointer inside the .dtors
section, the __deregister_frame_info, or some other entries in .got. Those
addresses are easier to locate than the classical main() retloc.
1- How can I guess (theorically and practically) this ret address in the
stack ? (i think is in stack)
2- When i have the value of the ret address, i think i have to overwrite
by techniques like %8x and %n, isn't it?
Help me to solve this problem please...
Find attached an example exploit for your vulnerable program. The code is
well commented and should be self-explanatory. You may also want to look
at my collection of vulnerable code and related exploits, available at:
http://www.0xdeadbeef.info/code/misc-exploits.tgz
Cheers,
--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Attachment:
fmt-ex.c
Description:
 By Date 
By Thread
Current thread:
| 
Intro
