d

Format String Vulnerabilities: The Complete Documentation

• This category contains 3 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Exploiting Format String Vulnerabilities

Published on 2001-03-17, by scut, ©team-teso.

This article explains the nature of a phenomenon that has shocked the secu- rity community in the second half of the year 2000. Known as format string vulnerabilities', a whole new class of vulnerabilities has been disclosed and caused a wave of exploitable bugs being discovered in all kinds of programs, ranging from small utilities to big server applications.

Exploiting non-classical format string vulnerability

Published on 2006, by darkeagle, ©55k7 researcherz.

One day, I was researching some popular Open-Source Unix daemon. And I found format string vulnerability in this daemon. There was vulnerable call of "sprintf()" function. I was trying to exploit it. But when I put some evil string like this "AAAA.%x.%x.%x.%x.%x.%x.%x.%x" to the daemon, I got this type of answer: "bla_bla_bla AAAA.addrz_addrz_addrz_2e334141". I was preparing to exploit it triviality with classical method. I added in the start two "A" to align offset and try to exploit. But when I attached to child process I was looking that EIP registry points to 0x99ffe9fa instead 0xbfffd5fa. Later I was google information about how to exploit this situation. All what I found was paper by Pascal’s method of exploiting format string. His paper wasn’t about exploiting my situation, but with help from his paper I can exploit daemon. But... His method wasn’t so unique and Pascal wrote that his method is hard to understand. So, I started to explore simply way to exploit this situation. And I found it! This paper simply describes my method. I’ll show you some examples on REAL vulnerabilities. Will show local and remote method how to exploit non-classical format string vulnerability.

Just go, yo!

Format String Attacks

Published on 2000, by Tim Newsham, .

I know it has happened to you. It has happened to all of us, at one point or another. You’re at a trendy dinner party, and amidst the frenzied voices of your companions you hear the words format string attack. Format string attack? What is a format string attack? you ask. Afraid of having your ignorance exposed among your peers you decide instead to break an uncomfortable smile and nod in hopes of appearing to be in the-know. If all goes well, a few cocktails will pass and the conversation will move on, and no one will be the wiser. Well fear no more! This paper will cover everything you wanted to know about format string attacks but were afraid to ask!