Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: [Format String vulnerabilities]

Re: [Format String vulnerabilities]

From: DownBload <downbload_at_hotmail.com>
Date: 23 May 2004 18:53:32 -0000
('binary' encoding is not supported, stored as-is) In-Reply-To: <200405221248.i4MCmwxO081759_at_mailserver1.hushmail.com>


If you wanna reach your input (AAAA), you must pad stack with few %x, or use direct access with %N$x (N is number for element location in memory).

Example:

[root_at_laptop TEST]# ./fmt "AAAA%x.%x.%x.%x.%x"
AAAAbffffbbb.400.0.41414141.252e7825
[root_at_laptop TEST]#
[root_at_laptop TEST]# ./fmt "AAAA%4\$x"
AAAA41414141
[root_at_laptop TEST]#

As we can see, our input AAAA is in both examples on 4th place, so it *is* on stack :-)

Bye.



>Hello vuln-dev,
> Query regarding format string vulnerabilities..
>
> The majority of tutorials give an example of the following form:
>
>(taken from NN-formats.txt [NOP Ninjas - Format String Technique])
>fmt1.c ----------------------------------------------------
>
>int main(int argc, char *argv[]) {
> char buf[1024];
>
> strncpy(buf, argv[1], sizeof(buf));
> printf(argv[1]);
> printf("\n");
>}
>------------------------------------------------------------
>
>sloth_at_sin$ ./fmt 'AAAA %x'
>AAAA 41414141
>
>Surely however the format string *itself* isn't passed on the stack
>but a pointer to the format string. therefore the %x modifer would
>return a hex representation of the address pointing to the string, *not*
>a hex representation of the string contents?
>
>on my linux/i386 system this produes:
>
>root_at_xpl:~# ./fmt1 'AAAA %x'
>AAAA bffffbec
>
>Similarly a printf("AAAA %x"); style format string would print out the
>hex representation of the ELF .rodata section address where the string
>is stored not any values contained within.
>
>Can anybody clarify all of this?
>
>Much appreciated,
>vxpl-
>
>
>
>
>
>Concerned about your privacy? Follow this link to get
>FREE encrypted email: https://www.hushmail.com/?l=2
>
>Free, ultra-private instant messaging with Hush Messenger
>https://www.hushmail.com/services.php?subloc=messenger&l=434
>
>Promote security and make money with the Hushmail Affiliate Program:
>https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
Received on May 24 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos