|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Format String vulnerabilities]
From: DownBload (downbload
hotmail.com)
Date: Sun May 23 2004 - 13:53:32 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <200405221248.i4MCmwxO081759mailserver1.hushmail.com>
If you wanna reach your input (AAAA), you must pad stack with few %x, or use direct access with %N$x (N is number for element location in memory).
Example:
[rootlaptop TEST]# ./fmt "AAAA%x.%x.%x.%x.%x"
AAAAbffffbbb.400.0.41414141.252e7825
[rootlaptop TEST]#
[rootlaptop TEST]# ./fmt "AAAA%4\$x"
AAAA41414141
[rootlaptop TEST]#
As we can see, our input AAAA is in both examples on 4th place, so it *is* on stack :-)
Bye.
>Hello vuln-dev,
> Query regarding format string vulnerabilities..
>
> The majority of tutorials give an example of the following form:
>
>(taken from NN-formats.txt [NOP Ninjas - Format String Technique])
>fmt1.c ----------------------------------------------------
>
>int main(int argc, char *argv[]) {
> char buf[1024];
>
> strncpy(buf, argv[1], sizeof(buf));
> printf(argv[1]);
> printf("\n");
>}
>------------------------------------------------------------
>
>slothsin$ ./fmt 'AAAA %x'
>AAAA 41414141
>
>Surely however the format string *itself* isn't passed on the stack
>but a pointer to the format string. therefore the %x modifer would
>return a hex representation of the address pointing to the string, *not*
>a hex representation of the string contents?
>
>on my linux/i386 system this produes:
>
>rootxpl:~# ./fmt1 'AAAA %x'
>AAAA bffffbec
>
>Similarly a printf("AAAA %x"); style format string would print out the
>hex representation of the ELF .rodata section address where the string
>is stored not any values contained within.
>
>Can anybody clarify all of this?
>
>Much appreciated,
>vxpl-
>
>
>
>
>
>Concerned about your privacy? Follow this link to get
>FREE encrypted email: https://www.hushmail.com/?l=2
>
>Free, ultra-private instant messaging with Hush Messenger
>https://www.hushmail.com/services.php?subloc=messenger&l=434
>
>Promote security and make money with the Hushmail Affiliate Program:
>https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]