Geek Answers Handbook

How to write a value to an address in a formatted string

I am taking a security course that requires us to format a line attack on a unix virtual machine. Vulnerability is a format string using a command line argument.

My question is, how can I write a value to an address in a format string (for example, write the address of a shell code to a function return address)?

For example, I'm trying to write the value 987654 to the address of the return address 0xaabbccdd. I tried several lines, for example "AAAA_%10$x" , and this may lead to the printing of the program AAAA_41414141 .

Then I replace the letters with my address and try to rewrite it.

 \xdd\xcc\xbb\xaa_%10$x_%54321x_%n"

But that will not work. I see that the article says that I should use a lower number in %54321x , as there are some characters that I already wrote, but I do not know how many characters I wrote before %54321x .

Note: the environment has an old version of gcc, so there is no need to worry about the value being too large. Any suggestions? Thanks.

+7
source share
3 answers

printf cannot write anywhere without using the %n format specifier. This is the one you are missing. Something like %.987654d%n will write the number 987654 (the number of characters printed so far) to the address indicated by the second argument, where the first argument is int . That should be enough to get you started.

+3
source

Vulnerability in string formatting is used when changing the print format of a string of the printf function and entering its values ​​in the right place in memory. Please read this blog to learn how to do it.

0
source

you must specify the stack offset for writing with% n formatter, for example %[offset]\$n

example: %23\$n

be sure to return the correct address by running the result \ xdd \ xcc \xbb\xaa_%54321x_%[offset]\$x ", this can be done using python or bash script

you should get the address aabbccdd

0
source

More articles:


All Articles