cadenceAPOLLO.ACI.COM.PL

• Next message: Settle, Sean: "Re: Default passwords using Cisco ConfigMaker"
• Previous message: Rodrick Brown: "Re: Probally Bug in latest Bind : remote overwrite dns table entries"
• In reply to: Thomas Dullien: "Re: Blue Boars question..."
• Next in thread: Thomas Dullien: "Re: format-string exploit under Wndows?"
• Reply: Tomasz Grabowski: "format-string exploit under Wndows?"
• Reply: Bluefish: "Re: format-string exploit under Wndows?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

I wondering if there is possibility to exploit that "user-supplied format
string error" under Windows.

Let's look at the package "make" source code.

In file main.c in section #ifdef WINDOWS32 (about line number 500) we can
find the following:

 LPSTR cmdline = GetCommandLine();
 LPSTR prg = strtok(cmdline, " ");
 CHAR errmsg[1024];

[...]

sprintf(errmsg, _("%s: Interrupt/Exception caugh "), prg);

[...]

fprintf(stderr, errmsg);

First of all I'm not sure how exactly works that 'LPSTR', but I think
it can be an unlimited-lenght string.

Nice sprintf().
No matter...

The important for me is fprintf() without proper format string.
So is it possible to exploit that vulnerbility in fprintf() by putting
some evil code to 'prg' ? Assuming it is less than 1024 because of buffer
overflow in sprintf() :)

Someone has tried something like this with his own Windows?
Hints?

___
{Tomasz Grabowski} (cadenceaci.com.pl) [Akademickie Centrum Informatyki]

• Next message: Settle, Sean: "Re: Default passwords using Cisco ConfigMaker"
• Previous message: Rodrick Brown: "Re: Probally Bug in latest Bind : remote overwrite dns table entries"
• In reply to: Thomas Dullien: "Re: Blue Boars question..."
• Next in thread: Thomas Dullien: "Re: format-string exploit under Wndows?"
• Reply: Tomasz Grabowski: "format-string exploit under Wndows?"
• Reply: Bluefish: "Re: format-string exploit under Wndows?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]