Re: [Vuln-dev Challenge] Challenge #2

• Previous message: Phrack Magazine: "Call for Papers (#61)"
• Maybe in reply to: Dave McKinney: "[Vuln-dev Challenge] Challenge #2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln-dev@securityfocus.com
Date: 28 May 2003 01:11:39 +0200

On Tue, 2003-05-27 at 23:03, Robert Hogan wrote:
> > We want to set (overflow) the bfp pointer with the address of the printf
> > command. We subtract two because the db.log file starts with two ';;'.
> > These will then be written two bytes before printf code starts ---
> > corrupting whatever is there (but we really don't care about that).
>
> One (hopefully final) request for clarification:
>
> when fgets finds bfp (with the address of printf there) it jumps to printf and
> executes the value in bfp (which is now shellcode)???
>
> Is this correct?
We overwrite the bfp pointer (which is stored on the stack) at the
strcpy(buf, argv[1]) line. Now bfp points to printf function - 2. fgets
will then read BFSIZE bytes from db.log and write them to the memory
that bfp points to (address of printf minus 2).

> I still don't really get the printf_got -2 thing. I would have thought that if
> printf is at a given address, changing that address would point to something
> else that is not the printf command! Obviously not, but I don't understand
> how.
If you take a look at
fprintf(f1, ";;%s;;", argv[2]);
you see, that the first two bytes of db.log will be ';;'. We don't want
';;' to overwrite the printf function so that is why we subtract 2 (then
we will overwrite something else ... but we really do not care. We won't
need it).

Hope this makes it clear.

Regards,
Janus

-- 
Janus N. Tøndering <janus@bananus.dk>

• Previous message: Phrack Magazine: "Call for Papers (#61)"
• Maybe in reply to: Dave McKinney: "[Vuln-dev Challenge] Challenge #2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]