- Code: Select all
char str[20];
sprintf(str,"%d\n",getpid());
write(fd,str,strlen(str)); /* record pid to lockfile */
// leave file open, so nobody else can lock it
return true;
I'm not as familiar with C++ as I am C, but I looked up sprintf and saw it was exactly like printf but it writes its results to a string instead of stdout. Plus it doesn't look like any kind of bounds are set on protecting anyone from feeding "char str[20];" with more than it could hold. Did some nice experimenting with `perl -e 'print "A" x 21'` and got an error box from the application saying this either a corrupted file or not a valid file type. Tried many, many different sequences in that little perl string but never got a segmentation fault. (Possibly because this app is in C++, not C?) But I fired it up inside gdb (linux debugger) and when I used the list command it pointed exactly to the line with sprintf I have listed in the code above. I can even set a breakpoint on it but it doesn't seem to matter. I can't get seem to get eip?
- Code: Select all
Breakpoint 1 at 0x80621e7: file /tmp/build/xxx/main.cpp, line 61.
(gdb) run `perl -e 'print "A" x 600'`
Starting program: /usr/bin/xxx `perl -e 'print "A" x 600'`
[Thread debugging using libthread_db enabled]
[New Thread 0xb5e6b6c0 (LWP 21085)]
Program exited normally.
(gdb) info reg eip
The program has no registers now.
(gdb)
What can I do to find eip? Or am I just chasing my tail?(Not exploitable?)
