Menu
I'm taking a security course which needs us to do format string attack on an unix virtual machine. The vulnerability is a format string using command line argument.
My question is how can I write value into an address in format string (like write shell code address into function return address)?
For example, I try to write value 987654 into the return address location 0xaabbccdd.
I tried some strings like "AAAA_%10$x", and this can lead the program to print AAAA_41414141.
Then I replace the letters with my address and try to overwrite it.
\xdd\xcc\xbb\xaa_%10$x_%54321x_%n"
But it does not work. I see an article says I should use a smaller number in %54321x since there are some chars I already wrote, but I don't know how many chars I've written before %54321x, either.
note: The environment has an old version of gcc, so it's not necessary to worried about the value is too large. Any suggestions? Thanks.
858
Format String attacks alter the flow of an application. They use string formatting library features to access other memory space. Vulnerabilities occurred when the user-supplied data is deployed directly as formatting string input for certain C/C++ functions (e.g., fprintf, printf, sprintf, setproctitle, syslog, ...).
What is the use of %n in printf()? In C language, %n is a special format specifier. It cause printf() to load the variable pointed by corresponding argument. The loading is done with a value which is equal to the number of characters printed by printf() before the occurrence of %n.
2) %hn means to not write an integer (4-byte usually), but only a short value (usually 2 bytes) at the given address. It is easier, to write 2 2-byte values with this method instead of 1 4-byte value, since you had to print up to 4M chars to write the value you want. Follow this answer to receive notifications.
printf cannot write anywhere without using the %n format specifier. This is the one you're missing. Something like %.987654d%n will write the number 987654 (the number of characters output so far) to an address specified by the second argument, where the first argument is an int. This should be enough to get you started.
66
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
