format string exploit

thorsten fly_b747 at gmx.de
Tue Aug 8 08:32:47 PDT 2006


> Do any of you have gcc3 ssp to confirm this code is aborted
> with -fstack-protector-all, and drops to shell with
-fno-stack-protector-all?
> This code has assembly, you need to pass -no-pie too. I clearly remember
> stopping using libsafe because ssp aborted all the same exploits libsafe
> would and more.
>
> robert

I have gcc-3.4.5 ssp, tried the exploit. The first tries have been
bailed out by my grsec kernel (which in general is a good thing but this
time was not intended  ;-)  ).
My second tries with a reguar kernel just gave a segmentation fault, no
shell regardless of -fno-stack-protector or not. I will have a closer
look within the next 1 or two days, keep you updated.

thorsten




More information about the hlfs-dev mailing list