Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Help, problems finding addresses with format strings
From: Marco Ivaldi (raptor0xdeadbeef.info)
Date: Fri Feb 20 2004 - 04:46:22 CST
> Having some experience with BOF, i decided to read some docs about
> format strings vulnerabilities, but... my surprise is that, by any
> reason, i can't find anything seemed to this doc, i'd like some
> experience to help me. My system is a Debian/GNULinux sid with gcc 3.3.3
I strongly suggest you the reading of the excellent format string tutorial
by scut. You can find it at:
> Look at this simple (aparently) code:
> Now ... i think where the char vuln starts, in 0xbffff4d0 no?, i
> want to overwrite this buffer and theorically overwrite main ret address
> by other.
Usually, format strings vulnerabilities can be turned in a "overwrite (at
least) an arbitrary address in memory" primitive. So, probably your best
choice is to overwrite the first function pointer inside the .dtors
section, the __deregister_frame_info, or some other entries in .got. Those
addresses are easier to locate than the classical main() retloc.
> 1- How can I guess (theorically and practically) this ret address in the
> stack ? (i think is in stack)
> 2- When i have the value of the ret address, i think i have to overwrite
> by techniques like %8x and %n, isn't it?
> Help me to solve this problem please...
Find attached an example exploit for your vulnerable program. The code is
well commented and should be self-explanatory. You may also want to look
at my collection of vulnerable code and related exploits, available at:
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
- TEXT/PLAIN attachment: fmt-ex.c