2

This question is relative to : A Eulogy for Format Strings from phrack (http://www.phrack.org/issues.html?issue=67&id=9)

//File: test.c
//gcc -D_FORTIFY_SOURCE=2 -O2
int main(){
  char buf[256];
  fgets(buf, sizeof(buf), stdin);
  printf(buf);
}

I don't understand in their article how providing a fmt string like %1$*269168516$ it can toggle off _IO_FLAGS2_FORTIFY bit in the stdout FILE structure ?

Is it because when we overflow the integer offset, args_type[offset] can point anywhere in memory, and specifically on stdout->_flags2 to set it to 0 ?

If so, how can we know that we managed to toggle it off ? because when I try with this code I can't get a segfault like specified in the article. (compiling option: gcc -m32 -z execstack -fno-stack-protector -ggdb -O2 -D_FORTIFY_SOURCE=2 -o prog test.c)

(gdb) disas vprintf
Dump of assembler code for function vprintf:
   0xf7e9ed90 <+0>: push   %ebp
   0xf7e9ed91 <+1>: mov    %esp,%ebp
   0xf7e9ed93 <+3>: push   %ebx
   0xf7e9ed94 <+4>: sub    $0xc,%esp
   0xf7e9ed97 <+7>: mov    0xc(%ebp),%eax
   0xf7e9ed9a <+10>:    call   0xf7f6ac66
   0xf7e9ed9f <+15>:    add    $0x11b255,%ebx
   0xf7e9eda5 <+21>:    mov    %eax,0x8(%esp)
   0xf7e9eda9 <+25>:    mov    0x8(%ebp),%eax
   0xf7e9edac <+28>:    mov    %eax,0x4(%esp)
   0xf7e9edb0 <+32>:    mov    -0x7c(%ebx),%eax
   0xf7e9edb6 <+38>:    mov    (%eax),%eax
   0xf7e9edb8 <+40>:    mov    %eax,(%esp)
   0xf7e9edbb <+43>:    call   0xf7e99a60 <vfprintf>
   0xf7e9edc0 <+48>:    add    $0xc,%esp
   0xf7e9edc3 <+51>:    pop    %ebx
   0xf7e9edc4 <+52>:    pop    %ebp
   0xf7e9edc5 <+53>:    ret
4

1 回答 1

0

是因为当我们溢出整数偏移量时, args_type[offset] 可以指向内存中的任何位置,特别是在 stdout->_flags2 上将其设置为 0 ?

是的。

如果是这样,我们怎么知道我们设法将其关闭?

您可以通过%n在格式字符串中使用来测试它。如果它没有出错,那么你就成功了。

我无法得到文章中指定的段错误

如果您的意思是输入%n不会给您:

*** %n in writable segment detected ***
Aborted

然后你没有_FORTIFY_SOURCE正确启用开始。

于 2014-03-07T18:22:33.447 回答