Re: buffer overflow question

From: Gerardo Richarte (core.lists.exploit-dev@core-sdi.com)
Date: Wed Dec 05 2001 - 01:15:17 PST

Next message: Matthias Kerstner: "AW: IE Denial of service (sorta)"

Previous message: Iván Arce: "Re: buffer overflow question"
Next in thread: Minchu Mo: "Re: buffer overflow question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Marshal wrote:

> As long as i remember the format strings example files on that page
> aren't real format string vuln. but just ordinary buffer overflows.

    They are not buffer overflows...

    The first one is the only one that has a memory copy operation in it (I mean
strcpy, or memcpy, or loop copying, etc). BUT, if you don't know how to use
the format string, you won't be able to do it. You have to solve it to note why
the format string in it is so important, it may be enough to take a look, but actually
doing it is the right way.
    Why did I mixed a buffer overflow with a format string? I don't know,
I just thought it was a good idea to make us think what can be done with
fss.

    gera


/* fs1.c                                                    *
    * specially crafted to feed your brain by gera@core-sdi.com */

   /* Don't forget,                                            *
    * more is less,                                            *
    * here's a proof                                           */

   int main(int argv,char **argc) {
           short int zero=0;
           int *plen=(int*)malloc(sizeof(int));
           char buf[256];

           strcpy(buf,argc[1]);
           printf("%s%hn\n",buf,plen);
           while(zero);
   }


   /* fs2.c                                                    *
    * specially crafted to feed your brain by gera@core-sdi.com */

   /* Can you tell me what's above the edge?                   */
   int main(int argv,char **argc) {
           char buf[256];

           snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]);
           snprintf(buf,sizeof buf,"%s%c%c%hn",argc[2]);
   }


   /* fs3.c                                                    *
    * specially crafted to feed your brain by riq@core-sdi.com  */

   /* Not enough resources?                                    */

   int main(int argv,char **argc) {
           char buf[256];

           snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]);
   }


   /* fs4.c                                                    *
    * specially crafted to feed your brain by gera@core-sdi.com */

   /* Have you ever heard about code reusability?              */

   int main(int argv,char **argc) {
           char buf[256];

           snprintf(buf,sizeof buf,"%s%6$hn",argc[1]);
           printf(buf);
   }


   /* fs5.c                                                    *
    * specially crafted to feed your brain by gera@core-sdi.com */

   /* go, go, go!                                              */
   int main(int argv,char **argc) {
           char buf[256];
           snprintf(buf,sizeof buf,argc[1]);

                         /* this line'll make your life easier */
   //      printf("%s\n",buf);
   }




--- for a personal reply use: Gerardo Richarte <geraat_private>

Next message: Matthias Kerstner: "AW: IE Denial of service (sorta)"
Previous message: Iván Arce: "Re: buffer overflow question"
Next in thread: Minchu Mo: "Re: buffer overflow question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 09:10:39 PST