So the answer to Monday’s problem was
Is a format string vulnerability. To solve the problem the line should be written as such
syslog(LOG_INFO, "%s", argv);
Now what can be done with this is quite a lot. Enter in the following ./logit
perl -e 'print "%08X:"x100' and then look at you system logs. What you are looking at is a dump of the programs stack. But you can get access to read any area in memory you have access to read. So on my system which is an AMD64 System if I run the following;
./a.out $(perl -e ‘print “%08x:” x 50 . “%s”‘)
And view syslog, I see;
Apr 2 11:37:52
Or more directly without using perl.
Apr 2 12:09:57
Which has my PATH variable in it. So I am able to read to anyplace I want in memory, but what about write. Well it turns out I can do that as well. Using a %n we can write the amount of data written to an associated memory address. Ill leave that as an exercise for the reader though. Or maybe if I can’t think of anything else to post Ill do a write up on that as well.