On Tue, 2003-05-27 at 23:03, Robert Hogan wrote: > > We want to set (overflow) the bfp pointer with the address of the printf > > command. We subtract two because the db.log file starts with two ';;'. > > These will then be written two bytes before printf code starts --- > > corrupting whatever is there (but we really don't care about that). > > One (hopefully final) request for clarification: > > when fgets finds bfp (with the address of printf there) it jumps to printf and > executes the value in bfp (which is now shellcode)??? > > Is this correct? We overwrite the bfp pointer (which is stored on the stack) at the strcpy(buf, argv[1]) line. Now bfp points to printf function - 2. fgets will then read BFSIZE bytes from db.log and write them to the memory that bfp points to (address of printf minus 2). > I still don't really get the printf_got -2 thing. I would have thought that if > printf is at a given address, changing that address would point to something > else that is not the printf command! Obviously not, but I don't understand > how. If you take a look at fprintf(f1, ";;%s;;", argv[2]); you see, that the first two bytes of db.log will be ';;'. We don't want ';;' to overwrite the printf function so that is why we subtract 2 (then we will overwrite something else ... but we really do not care. We won't need it). Hope this makes it clear. Regards, Janus -- Janus N. Tøndering <janusat_private>
This archive was generated by hypermail 2b30 : Fri May 30 2003 - 13:57:41 PDT