Re: [Vuln-dev Challenge] Challenge #2

From: Robert Hogan (robert_at_roberthogan.net)
Date: 05/27/03

  • Next message: Kyle Lai: "Change MAC Address on Windows 2003 Servers" 
    To: "Janus N." Tøndering <janus@bananus.dk>
Date: Tue, 27 May 2003 22:03:18 +0100

    On Monday 26 May 2003 16:59, Janus N. wrote:

    > >
    > > ## ...MEDIC! what is this? What are you doin?
    > > ## WHY are you doing it? omg halp!
    > > ## Asigning the adress of printf_got-2 to
    > > ## to the adress pointed to by p?
    > >
    > > > *((void**)p) = (void*)(printf_got - 2); /* to avoid
    >
    > We want to set (overflow) the bfp pointer with the address of the printf
    > command. We subtract two because the db.log file starts with two ';;'.
    > These will then be written two bytes before printf code starts ---
    > corrupting whatever is there (but we really don't care about that).

    One (hopefully final) request for clarification:

    when fgets finds bfp (with the address of printf there) it jumps to printf and
    executes the value in bfp (which is now shellcode)???

    Is this correct?

    I still don't really get the printf_got -2 thing. I would have thought that if
    printf is at a given address, changing that address would point to something
    else that is not the printf command! Obviously not, but I don't understand
    how.

    >
    > > > /* calculate address of shellcode. Assumes fixed
    > > > stack-base
    > > > and Linux os */
    > >
    > > ## few questions on this one.
    > > ## where did you get the 0xbffffffa?
    > > ## also how did you get it.
    > > ## Why are we subtracting the lenght of
    > > ## the name of the vulnerable program from it?
    > > ## And worse yet we're subtracting the lenght
    > > ## of the shellcode from that, so now i'm
    > > ## really lost. I'm inclined to think this
    > > ## has something to do with the environment.
    > > ## but i can't for the life of me figure out
    > > ## what.
    > >
    > > > saddr = 0xbffffffa - strlen(victim) -
    > > > strlen(shellcode);
    >
    > Take a look at Murat's: Buffer overflows de mystified:
    > http://www.enderunix.org/docs/eng/bof-eng.txt
    >
    > > ## ok make argv2 point to value of saddr.
    > >
    > > > *((char**)arg2) = (char *)(saddr);
    > > >
    > > > printf("[i] shellcode is at 0x%08x\n", saddr);
    > > > printf("[i] printf GOT is 0x%08x\n", printf_got);
    > > > printf("[i] using 0x%08x as GOT\n", printf_got -
    > > > 2);
    >
    > Hope this helps.
    >
    > Regards,
    > Janus

  • Next message: Kyle Lai: "Change MAC Address on Windows 2003 Servers"