format string exploit

Robert Connolly robert at linuxfromscratch.org
Wed Aug 2 18:30:59 PDT 2006


Attached is a format string exploit, from libsafe. The gcc2/3 ssp series would 
abort this code if I remember correctly, gcc4's ssp does not, and neither 
does anything else...

gcc-4.1.1, glibc-2.4...
 
gcc -o canary-exploit -D_FORTIFY_SOURCE=2 \
	-fstack-protector-all -fmudflap -lmudflap canary-exploit.c
$ ./canary-exploit
This program tries to use printf("%n") to overwrite the
return address on the stack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-3.1$

Do any of you have gcc3 ssp to confirm this code is aborted 
with -fstack-protector-all, and drops to shell with -fno-stack-protector-all? 
This code has assembly, you need to pass -no-pie too. I clearly remember 
stopping using libsafe because ssp aborted all the same exploits libsafe 
would and more.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: canary-exploit.c
Type: text/x-csrc
Size: 2122 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060802/6f29424c/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060802/6f29424c/attachment.sig>


More information about the hlfs-dev mailing list