Buffer overflow using snprintf
Solution 1
The "\xa0\xfb\xff\xbf"
should not be the address of buf, but rather the location of the return address on the stack (which is the value you wish to overwrite). You'll have to find that value using gdb.
You then need to put enough %x in your format string such that your %n will read that value off the stack and write to the address you specified. You also need to to use the correct field sizes such that %n will actually write the correct value.
Solution 2
Vulnerability you are trying to exploit is called format string vulnerability. For further investigation on this topic I would recommend THIS link or book called "Hacking: art of exploitating".
Catie
Updated on June 04, 2022Comments
-
Catie about 2 years
This is an assignment but I am having problems with the basic understanding.
The vulnerable code:
int choc(char *arg) { char buf[400]; snprintf(buf, sizeof buf, arg); return 0; }
I understand that arg needs to be a format string which will overwrite the return address with the address of the code I want to execute. But I am having trouble creating the format string.
So, things which the format string needs to have:
- the address of the return instruction, which I need to overwrite
- A list of %x
- The value which I would write on the return address. This would be the address of the code I want to execute.
In order to get the return address, I just need to look at the address of the 'ret' instruction in gdb right? What exactly is the purpose to the %x? And how do I encode the address of the code I want to execute in the format string?
A test I did: Using gdb I found that the address of my buf is 0xbffffba0. I generated arg to be "\xa0\xfb\xff\xbf_%x.%x.%n"; Shouldn't this write some value to the start of the buff at the address 0xbffffba0? However I get a segfault. What am I doing wrong?
Any help would be appreciated!
-
Catie about 12 yearsYes, I read that link. And I believe I am doing exactly what it is telling me to. However instead of writing to buff, I get a segfault. Not sure why
-
div about 12 yearsWell, I'm not sure but your problem is probably connected with some exploits countermeasuers that are built-in in newer versions of linux, such as "non-executable stack"
-
bta about 12 years@Catie- It's possible that you're going too far and causing
snprintf
to access memory past the end of the stack. Step through the function on the assembly level and you should be able to see if this is the problem. -
Catie about 12 yearsThanks! So is the return address is saved in %eip? In gdb, I did 'info frame' and saw the saved address of %eip, and created a string same as above, just with that address swapped over. Always a seg fault. I am just trying to make it write anywhere without a seg fault (that is why chose the start of the buff).