How to write value into an address in format string attack
printf
cannot write anywhere without using the %n
format specifier. This is the one you're missing. Something like %.987654d%n
will write the number 987654 (the number of characters output so far) to an address specified by the second argument, where the first argument is an int
. This should be enough to get you started.
Admin
Updated on June 23, 2022Comments
-
Admin almost 2 years
I'm taking a security course which needs us to do format string attack on an unix virtual machine. The vulnerability is a format string using command line argument.
My question is how can I write value into an address in format string (like write shell code address into function return address)?
For example, I try to write value 987654 into the return address location 0xaabbccdd. I tried some strings like
"AAAA_%10$x"
, and this can lead the program to printAAAA_41414141
.Then I replace the letters with my address and try to overwrite it.
\xdd\xcc\xbb\xaa_%10$x_%54321x_%n"
But it does not work. I see an article says I should use a smaller number in
%54321x
since there are some chars I already wrote, but I don't know how many chars I've written before%54321x
, either.note: The environment has an old version of gcc, so it's not necessary to worried about the value is too large. Any suggestions? Thanks.
-
Oliver Charlesworth over 13 years
sprintf
writing to a char buffer on the stack could also be used to do malicious damage... -
R.. GitHub STOP HELPING ICE over 13 years@Oli: yes but that's not a format string attack, which OP's assignment seems to be about...
-
R.. GitHub STOP HELPING ICE over 13 yearsI hardly call that a format string vuln, merely an ordinary
strcpy
buffer overflow. The fact thatsprintf
is being used instead ofstrcpy
is rather incidental.