Format Strings nonexec heap/stack

From: Alex (
Date: 01/30/05

  • Next message: Benn Goldman Rivers: "Fwd: MS05-002 xploit modification - connectback addition"
    Date: Sun, 30 Jan 2005 01:04:43 -0500

    Hello, this is my first post. I hope its in the list.

    I am posting to get some help in developing an exploit for such a condition.

    The environment:
    Freebsd machine, nonexec heap/stack. This is a suid binary, but is
    not calling setuid().

            char * ptr ;
            ptr = getenv("TERM");

    objdump -R | grep printf
    0804999c R_386_JUMP_SLOT printf
    objdump -R | grep exit
    080499b0 R_386_JUMP_SLOT exit

    (gdb) p setuid
    $1 = {<text variable, no debug info>} 0x280c1370 <setuid>
    (gdb) p system
    $2 = {<text variable, no debug info>} 0x28093a38 <system>

    Using a format string it is possible to over-write the GOT entries for
    printf() and exit().
    I have been able to do so successfully. The problem is that it is not
    enough to do just that, since it will become system("\n") or

    On freebsd, arguments are passed via pushing to the stack.
    What I have been trying to do is this.

    After rewriting the GOT entry for printf as that of setuid(), i want
    to push a NULL byte onto the stack to call setuid(0);
    The GOT entry for exit() has been replaced by that of system(). So
    instead of pushing 0x0, i want to push a pointer to a "/bin/sh"

    Is this possible even? Or is there a better way of doing this.

    to ovewrrite GOT:
    export TERM=` printf \

    where OFFSET = stackpop(?). Usually this is ~130 but it depends on how
    your environmental variables are setup.

    Im not sure what I would do next in order to change the values that
    are being pushed. Could someone help me with this?

  • Next message: Benn Goldman Rivers: "Fwd: MS05-002 xploit modification - connectback addition"

    Relevant Pages

    • Re: How to format the command output like MySQL output
      ... I am now focusing on the development of a script interpretor (some thing ... like shell) ... but the environment does not permit it). ... And, really, if you are familiar with printf(), the part you have ...
    • Re: Forth stdin and stdout
      ... then the w32fdos.exe exit without warning. ... is responsible for removing parameters from the stack. ... For printf; ... fprintf is invoking such a problem; without debugging it, ...
    • sieve of eratosthenes
      ... int main ... exit; ... last array elements */ ... printf; ...
    • Re: Reading files in /var/spool/rwho/whod.*
      ... perror; exit;} ... strncpy; ... strncpy (hostname, entry.wd_hostname, 512); strcat; ... printf ("%5d:%02d", ...
    • Re: regarding DMA memory to memory copy in NIOS II
      ... The memory footprint of this hosted application is ~69 kbytes by ... static void done ... printf; ... exit; ...