You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Not directly related to this repository, but I've found several editing issues inside the Lab 12-6 section:
The figure has no 'Figure' tag (same goes for the figure in the previous lab). Not a big deal though, however there is two description errors inside the diagram. The third field after the buffer is written as '%3$n' which doesn't match the format string '%6$n' used later in the FMTSTR environment variable. Note that both the third direct parameter and the sixth are working on my setup, but mixing both can be a little bit confusing.
Also I think the figure's arrow 'Saved EIP' points to 'Addr of execl()' and not to 'Addr of printf()' as it should be. As soon as the overflow in the vulnerable function occurs, the first call should be to 'printf()' and not to 'execl()'.
Also the arrow to 'Return Address After printf()' should point to 'Addr of execl()', as it's the second function to call after printf().
A bit further, the code block showing the use of environment variables and the execution of './getenv' is a bit wrong. As the utility has been renamed to report the correct env variable addresses, it should be called './gtenv', as bellow:
$ export FMTSTR="%6\$n"
echo $FMTSTR
%6$n
$ ./gtenv FMTSTR
FMTSTR is located at 0xffffdf18
$ export WRAPPER="./wrapper"
$ echo $WRAPPER
./wrapper
$ ./gtenv WRAPPER
WRAPPER is located at 0xffffdf13
As a side note, I do confirm the successful exploitation on amd64:
Not directly related to this repository, but I've found several editing issues inside the Lab 12-6 section:
The figure has no 'Figure' tag (same goes for the figure in the previous lab). Not a big deal though, however there is two description errors inside the diagram. The third field after the buffer is written as '%3$n' which doesn't match the format string '%6$n' used later in the FMTSTR environment variable. Note that both the third direct parameter and the sixth are working on my setup, but mixing both can be a little bit confusing.
Also I think the figure's arrow 'Saved EIP' points to 'Addr of execl()' and not to 'Addr of printf()' as it should be. As soon as the overflow in the vulnerable function occurs, the first call should be to 'printf()' and not to 'execl()'.
Also the arrow to 'Return Address After printf()' should point to 'Addr of execl()', as it's the second function to call after printf().
A bit further, the code block showing the use of environment variables and the execution of './getenv' is a bit wrong. As the utility has been renamed to report the correct env variable addresses, it should be called './gtenv', as bellow:
As a side note, I do confirm the successful exploitation on amd64:
The only change made is to compile 'vuln2.c', 'wrapper.c' and 'getenv.c' using the '-m32' gcc flag.
Regards
The text was updated successfully, but these errors were encountered: