Re: [Vuln-dev Challenge] Challenge #2

From: Robert Hogan (robertat_private)
Date: Tue May 27 2003 - 14:03:18 PDT

Next message: gr00vy: "Need help with polymorph"

Previous message: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
In reply to: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
Next in thread: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
Reply: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 26 May 2003 16:59, Janus N. wrote:

> >
> >         ## ...MEDIC! what is this?  What are you doin?
> >         ## WHY are you doing it? omg halp!
> >         ## Asigning the adress of printf_got-2 to
> >         ## to the adress pointed to by p?
> >
> > > 	*((void**)p) = (void*)(printf_got - 2); /* to avoid
>
> We want to set (overflow) the bfp pointer with the address of the printf
> command. We subtract two because the db.log file starts with two ';;'.
> These will then be written two bytes before printf code starts ---
> corrupting whatever is there (but we really don't care about that).

One (hopefully final)  request for clarification:

when fgets finds bfp (with the address of printf there) it jumps to printf and 
executes the value in bfp (which is now shellcode)???

Is this correct?

I still don't really get the printf_got -2 thing. I would have thought that if 
printf is at a given address, changing that address would point to something 
else that is not the printf command! Obviously not, but I don't understand 
how. 


>
> > > 	/* calculate address of shellcode. Assumes fixed
> > > stack-base
> > > 		 and Linux os */
> >
> >         ## few questions on this one.
> >         ## where did you get the 0xbffffffa?
> >         ## also how did you get it.
> >         ## Why are we subtracting the lenght of
> >         ## the name of the vulnerable program from it?
> >         ## And worse yet we're subtracting the lenght
> >         ## of the shellcode from that, so now i'm
> >         ## really lost.  I'm inclined to think this
> >         ## has something to do with the environment.
> >         ## but i can't for the life of me figure out
> >         ## what.
> >
> > > 	saddr = 0xbffffffa - strlen(victim) -
> > > strlen(shellcode);
>
> Take a look at Murat's: Buffer overflows de mystified:
> http://www.enderunix.org/docs/eng/bof-eng.txt
>
> >         ## ok make argv2 point to value of saddr.
> >
> > > 	*((char**)arg2) = (char *)(saddr);
> > >
> > > 	printf("[i] shellcode is at 0x%08x\n", saddr);
> > > 	printf("[i] printf GOT is 0x%08x\n", printf_got);
> > > 	printf("[i] using 0x%08x as GOT\n", printf_got -
> > > 2);
>
> Hope this helps.
>
> Regards,
> Janus

Next message: gr00vy: "Need help with polymorph"
Previous message: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
In reply to: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
Next in thread: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
Reply: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 30 2003 - 13:57:42 PDT