|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: format-string exploit under Wndows?
From: Thomas Dullien (dullien
GMX.DE)Date: Tue Jul 11 2000 - 23:04:12 CDT
- Next message: Gabe Kostolny: "CASL & IP Options"
- Previous message: Settle, Sean: "Re: Default passwords using Cisco ConfigMaker"
- Next in thread: Bluefish: "Re: format-string exploit under Wndows?"
- Maybe reply: Thomas Dullien: "Re: format-string exploit under Wndows?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 05:52 PM 7/11/2000 +0200, you wrote:
> LPSTR cmdline = GetCommandLine();
> LPSTR prg = strtok(cmdline, " ");
> CHAR errmsg[1024];
>[...]
>sprintf(errmsg, _("%s: Interrupt/Exception caugh "), prg);
>[...]
>fprintf(stderr, errmsg);
(..)
>The important for me is fprintf() without proper format string.
>So is it possible to exploit that vulnerbility in fprintf() by putting
>some evil code to 'prg' ? Assuming it is less than 1024 because of buffer
>overflow in sprintf() :)
I don't see why this should not be exploitable. I doubt you can gain
anything from exploiting it though as you're invoking it and the
thing will run in your security context.
If you want to send me a binary of the prog so I can have a look,
go ahead :)
- Next message: Gabe Kostolny: "CASL & IP Options"
- Previous message: Settle, Sean: "Re: Default passwords using Cisco ConfigMaker"
- Next in thread: Bluefish: "Re: format-string exploit under Wndows?"
- Maybe reply: Thomas Dullien: "Re: format-string exploit under Wndows?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]