Hosting Provided By

Re: [Vuln-dev Challenge] Challenge #2

From: Janus N. <janus(at)bananus.dk>
Date: Tue May 27 2003 - 19:11:39 EDT

On Tue, 2003-05-27 at 23:03, Robert Hogan wrote:
> > We want to set (overflow) the bfp pointer with the address of the printf
We overwrite the bfp pointer (which is stored on the stack) at the strcpy(buf, argv[1]) line. Now bfp points to printf function - 2. fgets will then read BFSIZE bytes from db.log and write them to the memory that bfp points to (address of printf minus 2).

> I still don't really get the printf_got -2 thing. I would have thought that if
> printf is at a given address, changing that address would point to something
> else that is not the printf command! Obviously not, but I don't understand
> how.

If you take a look at
fprintf(f1, ";;%s;;", argv[2]);
you see, that the first two bytes of db.log will be ';;'. We don't want ';;' to overwrite the printf function so that is why we subtract 2 (then we will overwrite something else ... but we really do not care. We won't need it).

Hope this makes it clear.

Regards,
Janus

-- 
Janus N. Tøndering

Received on Fri May 30 17:01:28 2003

This message: [ Message body ]
Next message: Robert Hogan: "Re: [Vuln-dev Challenge] Challenge #2"
Previous message: Phrack Magazine: "Call for Papers (#61)"
In reply to: Robert Hogan: "Re: [Vuln-dev Challenge] Challenge #2"
In reply to Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT