%PDF-1.3
5 0 obj
<< /S /GoTo /D (section.1) >>
endobj
8 0 obj
(Introduction)
endobj
9 0 obj
<< /S /GoTo /D (subsection.1.1) >>
endobj
12 0 obj
(Buffer Overflows vs. Format String Vulnerabilities)
endobj
13 0 obj
<< /S /GoTo /D (subsection.1.2) >>
endobj
16 0 obj
(Statistics: important format string vulnerabilities in 2000)
endobj
17 0 obj
<< /S /GoTo /D (section.2) >>
endobj
20 0 obj
(The format functions)
endobj
21 0 obj
<< /S /GoTo /D (subsection.2.1) >>
endobj
24 0 obj
(How does a format string vulnerability look like ?)
endobj
25 0 obj
<< /S /GoTo /D (subsection.2.2) >>
endobj
28 0 obj
(The format function family)
endobj
29 0 obj
<< /S /GoTo /D (subsection.2.3) >>
endobj
32 0 obj
(Use of format functions)
endobj
33 0 obj
<< /S /GoTo /D (subsection.2.4) >>
endobj
36 0 obj
(What exactly is a format string ?)
endobj
37 0 obj
<< /S /GoTo /D (subsection.2.5) >>
endobj
40 0 obj
(The stack and its role at format strings)
endobj
41 0 obj
<< /S /GoTo /D (section.3) >>
endobj
44 0 obj
(Format string vulnerabilities)
endobj
45 0 obj
<< /S /GoTo /D (subsection.3.1) >>
endobj
48 0 obj
(What do we control now ?)
endobj
49 0 obj
<< /S /GoTo /D (subsection.3.2) >>
endobj
52 0 obj
(Crash of the program)
endobj
53 0 obj
<< /S /GoTo /D (subsection.3.3) >>
endobj
56 0 obj
(Viewing the process memory)
endobj
57 0 obj
<< /S /GoTo /D (subsubsection.3.3.1) >>
endobj
60 0 obj
(Viewing the stack)
endobj
61 0 obj
<< /S /GoTo /D (subsubsection.3.3.2) >>
endobj
64 0 obj
(Viewing memory at any location)
endobj
65 0 obj
<< /S /GoTo /D (subsection.3.4) >>
endobj
68 0 obj
(Overwriting of arbitrary memory)
endobj
69 0 obj
<< /S /GoTo /D (subsubsection.3.4.1) >>
endobj
72 0 obj
(Exploitation - similar to common buffer overflows)
endobj
73 0 obj
<< /S /GoTo /D (subsubsection.3.4.2) >>
endobj
76 0 obj
(Exploitation - through pure format strings)
endobj
77 0 obj
<< /S /GoTo /D (section.4) >>
endobj
80 0 obj
(Variations of Exploitation)
endobj
81 0 obj
<< /S /GoTo /D (subsection.4.1) >>
endobj
84 0 obj
(Short Write)
endobj
85 0 obj
<< /S /GoTo /D (subsection.4.2) >>
endobj
88 0 obj
(Stack Popping)
endobj
89 0 obj
<< /S /GoTo /D (subsection.4.3) >>
endobj
92 0 obj
(Direct Parameter Access)
endobj
93 0 obj
<< /S /GoTo /D (section.5) >>
endobj
96 0 obj
(Brute Forcing)
endobj
97 0 obj
<< /S /GoTo /D (subsection.5.1) >>
endobj
100 0 obj
(Response Based Brute Force)
endobj
101 0 obj
<< /S /GoTo /D (subsection.5.2) >>
endobj
104 0 obj
(Blind Brute Forcing)
endobj
105 0 obj
<< /S /GoTo /D (section.6) >>
endobj
108 0 obj
(Special Cases)
endobj
109 0 obj
<< /S /GoTo /D (subsection.6.1) >>
endobj
112 0 obj
(Alternative targets)
endobj
113 0 obj
<< /S /GoTo /D (subsubsection.6.1.1) >>
endobj
116 0 obj
(GOT overwrite)
endobj
117 0 obj
<< /S /GoTo /D (subsubsection.6.1.2) >>
endobj
120 0 obj
(DTORS)
endobj
121 0 obj
<< /S /GoTo /D (subsubsection.6.1.3) >>
endobj
124 0 obj
(C library hooks)
endobj
125 0 obj
<< /S /GoTo /D (subsubsection.6.1.4) >>
endobj
128 0 obj
(\137\137atexit structures)
endobj
129 0 obj
<< /S /GoTo /D (subsubsection.6.1.5) >>
endobj
132 0 obj
(function pointers)
endobj
133 0 obj
<< /S /GoTo /D (subsubsection.6.1.6) >>
endobj
136 0 obj
(jmpbuf's)
endobj
137 0 obj
<< /S /GoTo /D (subsection.6.2) >>
endobj
140 0 obj
(Return into LibC)
endobj
141 0 obj
<< /S /GoTo /D (subsection.6.3) >>
endobj
144 0 obj
(Multiple Print)
endobj
145 0 obj
<< /S /GoTo /D (subsection.6.4) >>
endobj
148 0 obj
(Format string within the Heap)
endobj
149 0 obj
<< /S /GoTo /D (subsection.6.5) >>
endobj
152 0 obj
(Special considerations)
endobj
153 0 obj
<< /S /GoTo /D (section.7) >>
endobj
156 0 obj
(Tools)
endobj
157 0 obj
<< /S /GoTo /D (subsection.7.1) >>
endobj
160 0 obj
(ltrace, strace)
endobj
161 0 obj
<< /S /GoTo /D (subsection.7.2) >>
endobj
164 0 obj
(GDB, objdump)
endobj
165 0 obj
<< /S /GoTo /D [166 0 R /Fit ] >>
endobj
168 0 obj <<
/Length 1773
/Filter /FlateDecode
>>
stream
xqZrF�]+x�K.ȱ\�? |
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |