Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Format strings and using %n to overwrite memory address with specific value

I am reading about and trying to learn format string vulnerabilities. I have a vulnerable function and I understand the gist of what I have to do with my format string.

Basically, this is what I want to do. Pass in my format string which contains some shellcode as part of it. I also need to format my string so that the return address of the vulnerable function gets replaced so that it points to my shellcode on the stack. Hence, when the function returns, it will jump to my shellcode on the stack and open a shell.

Currently, I am at the point where I can see my shellcode on the stack, and I am able to write to the return address to change it. Problem is, I am using %n as my way of overwriting the return address and am not sure how to get %n to overwrite with a specific value. Of course, %n simply prints the number of bytes written so far to the specified address on the stack. I've read a couple of things on how you can manipulate %n to write the exact address/value you want, but I am lost on how to do that.

Can anyone shed some light?

Edit: I've tried padding my format string with things such as '%500d" and "%.500d" as well as "%nu" for some n values. (I've tried much smaller values as well) but that just brings about a segmentation fault.

To clear up some confusion, here's a quick example I wrote in response to a comment:

Okay, I'll try to be a little more clear. I have a vulnerable program. The vulnerable point is "printf(input);". I want to exploit this by passing in a format string. Now for example, I have a format string

"\x0c\xde\xbf\xff%08x.%08x.%08x.%08x.%08x.%08x.%n" 

This format string, when passed into the vulnerable function, will overwrite the memory address of 0xffbfde0c with the number of bytes written. I am looking to find out how I can modify that format string so that I can make %n overwrite with a specific value by somehow padding the number of bytes written before the %n.

like image 314
Tesla Avatar asked Oct 03 '13 18:10

Tesla


People also ask

What is %p format string?

The percent ("P") format specifier multiplies a number by 100 and converts it to a string that represents a percentage. The precision specifier indicates the desired number of decimal places.

What is a formatting string?

String formatting is also known as String interpolation. It is the process of inserting a custom string or variable in predefined text.

What is formatting string in C?

The Format specifier is a string used in the formatted input and output functions. The format string determines the format of the input and output. The format string always starts with a '%' character.

Why do we use formatting string?

Format provides give you great flexibility over the output of the string in a way that is easier to read, write and maintain than just using plain old concatenation. Additionally, it's easier to get culture concerns right with String.


1 Answers

The only way to get %n to write a number is to make printf print this number of characters. To get to any pointer's value, you'll need to print many many bytes.

The easiest way is something like %999999s.

Also, it may be easier to try to direct the return value to some function (AKA "return to libc"), because code typically resides in relatively low addresses.

like image 133
ugoren Avatar answered Oct 02 '22 13:10

ugoren