-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsploit5.txt
More file actions
9 lines (7 loc) · 797 Bytes
/
sploit5.txt
File metadata and controls
9 lines (7 loc) · 797 Bytes
1
2
3
4
5
6
7
8
9
Exploit 5
by Saul Laufer
_______
Vulnerability:
The format string in target5.c is user supplied. snprintf ensures that we are not able to exceed the local buffer length, but we can use snprintf to overwrite information at an arbitrary address, leaving this program vulnerable to attack.
Exploit:
Upon examining foo’s frame, we know the last 6 bytes of our 400 byte buffer must be our format string and our first 4 bytes should be the intended address. Checking to see how many %08x inputs should be used to yield a stack pointer pointing to the address of the local buffer. We want to change foo’s %eip value. Getting the address 4 bytes after buff and converting to decimal, we make it smaller until it stops crashing, working towards finding an address that points to the byte after %eip.