On Monday 26 May 2003 16:59, Janus N. wrote: > > > > ## ...MEDIC! what is this? What are you doin? > > ## WHY are you doing it? omg halp! > > ## Asigning the adress of printf_got-2 to > > ## to the adress pointed to by p? > > > > > *((void**)p) = (void*)(printf_got - 2); /* to avoid > > We want to set (overflow) the bfp pointer with the address of the printf > command. We subtract two because the db.log file starts with two ';;'. > These will then be written two bytes before printf code starts --- > corrupting whatever is there (but we really don't care about that). One (hopefully final) request for clarification: when fgets finds bfp (with the address of printf there) it jumps to printf and executes the value in bfp (which is now shellcode)??? Is this correct? I still don't really get the printf_got -2 thing. I would have thought that if printf is at a given address, changing that address would point to something else that is not the printf command! Obviously not, but I don't understand how. > > > > /* calculate address of shellcode. Assumes fixed > > > stack-base > > > and Linux os */ > > > > ## few questions on this one. > > ## where did you get the 0xbffffffa? > > ## also how did you get it. > > ## Why are we subtracting the lenght of > > ## the name of the vulnerable program from it? > > ## And worse yet we're subtracting the lenght > > ## of the shellcode from that, so now i'm > > ## really lost. I'm inclined to think this > > ## has something to do with the environment. > > ## but i can't for the life of me figure out > > ## what. > > > > > saddr = 0xbffffffa - strlen(victim) - > > > strlen(shellcode); > > Take a look at Murat's: Buffer overflows de mystified: > http://www.enderunix.org/docs/eng/bof-eng.txt > > > ## ok make argv2 point to value of saddr. > > > > > *((char**)arg2) = (char *)(saddr); > > > > > > printf("[i] shellcode is at 0x%08x\n", saddr); > > > printf("[i] printf GOT is 0x%08x\n", printf_got); > > > printf("[i] using 0x%08x as GOT\n", printf_got - > > > 2); > > Hope this helps. > > Regards, > Janus
This archive was generated by hypermail 2b30 : Fri May 30 2003 - 13:57:42 PDT