Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to write value into an address in format string attack

Tags:

c

string

security

format-string

I'm taking a security course which needs us to do format string attack on an unix virtual machine. The vulnerability is a format string using command line argument.

My question is how can I write value into an address in format string (like write shell code address into function return address)?

For example, I try to write value 987654 into the return address location 0xaabbccdd. I tried some strings like "AAAA_%10$x", and this can lead the program to print AAAA_41414141.

Then I replace the letters with my address and try to overwrite it.

\xdd\xcc\xbb\xaa_%10$x_%54321x_%n"

But it does not work. I see an article says I should use a smaller number in %54321x since there are some chars I already wrote, but I don't know how many chars I've written before %54321x, either.

note: The environment has an old version of gcc, so it's not necessary to worried about the value is too large. Any suggestions? Thanks.

like image 858
Alex Ng Avatar asked Jan 31 '11 19:01

Alex Ng

People also ask

How does format string attack work?

Format String attacks alter the flow of an application. They use string formatting library features to access other memory space. Vulnerabilities occurred when the user-supplied data is deployed directly as formatting string input for certain C/C++ functions (e.g., fprintf, printf, sprintf, setproctitle, syslog, ...).

What does %n do when used in a format string?

What is the use of %n in printf()? In C language, %n is a special format specifier. It cause printf() to load the variable pointed by corresponding argument. The loading is done with a value which is equal to the number of characters printed by printf() before the occurrence of %n.

What is %hn in C?

2) %hn means to not write an integer (4-byte usually), but only a short value (usually 2 bytes) at the given address. It is easier, to write 2 2-byte values with this method instead of 1 4-byte value, since you had to print up to 4M chars to write the value you want. Follow this answer to receive notifications.

1 Answers

printf cannot write anywhere without using the %n format specifier. This is the one you're missing. Something like %.987654d%n will write the number 987654 (the number of characters output so far) to an address specified by the second argument, where the first argument is an int. This should be enough to get you started.

like image 66
R.. GitHub STOP HELPING ICE Avatar answered Sep 19 '22 15:09

R.. GitHub STOP HELPING ICE
Sign in to Comment

Related questions

What is the memory attribute 'p' in my linker file?
Mismatch between sizeof in ctypes.struct (packed) and packed struct in C
C/Linux - Server <-> Terminal communication with named pipes
Selecting a random node from a list in C
Executing shellcode in shared memory with mmap [duplicate]
Processing group policy with GP Extension
Delay load python DLL when embedding python+numpy
Launch GstRTSPServer from GstElement pipeline
Why is this call to a pure function with a string literal argument not optimized to a constant value?
What is the most conventional way to integrate C code into a Python library using distutils?
Simple USB host stack
Project Organization in C Best Practices
Unit Testing - How to go about it?
Are the benefits of SFIO over STDIO still valid?
How does malloc_info() work?
Do mmap/mprotect-readonly zero pages count towards committed memory?
Finding all adjacent elements in a 2D array
Asynchronous io in c using windows API: which method to use and why does my code execute synchronous?
QEMU Crashes When Loading Kernel
What's the most efficient bit vector compression method for my use case?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!