Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Overwrite return address simple format string exploit

Tags:

c

exploit

memory-layout

Yes, quite a few similar questions exist already (5037601, 19166698, 4855162, 14505995, 5052648, 13409508, 7745146, 7459630; sorry, not enough rep for more than 2 links), and yes, there are some nice articles explaining this kind of thing (click, click, http ://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html). I've read them and I think I get the general idea, but I still fail at succesfully exploiting the easiest training toy example that I could think of.

#include <stdio.h>

void f(char* a)
{
    printf("a: %p\n", &a);
    printf(a);
    return;
}

void main(int argc, char** argv)
{
    f(argv[1]); //please ignore the lack of any check
    return;
}

Yes, the stack is executable and yes, memory layout randomisation is disabled. Each execution gives me the same address of a. I can feed it for instance $ ruby -e 'print "AAAA"+("%08x."*16)', and that results in:

a: 0xbfffece0
AAAAbfffece0.bfffecf0.b7fd7ff4.00000000.00000000.bffffcf8.080484b0.bfffecf0.00000fff.b7fd8420.00000000.41414141.78383025.3830252e.30252e78.252e7838.

So now I can see where my input ends up in memory. I can write a value to the stack with $ ruby -e 'print "12345%n"+("%08x."*16)', which results in this:

a: 0xbfffece0
12345bfffecf0.b7fd7ff4.00000000.00000000.bffffcf8.080484b0.00000005.00000fff.b7fd8420.00000000.34333231.256e2535.2e783830.78383025.3830252e.30252e78.

Obviously, my ultimate goal would presumably be something like <something><NOPs><shellcode>, where <something> overwrites the return address of f so that the program will jump into the NOP sled and execute the shellcode. But the address of the saved return address seems to depend on my input now, right? Something similar to 0xbfffece0 - len(input) - 12, assuming a 12-byte prologue? Perhaps this example is not the easiest after all...

I'm getting confused. Any ideas?

like image 835
Bla Blaat Avatar asked Jan 16 '14 12:01

Bla Blaat

1 Answers

Another idea is to use the dollar sign: %<distance>$n.

Quoting from Linux's printf manpage:

One can also specify explicitly which argument is taken, at each place where an argument is required, by writing "%m$". Where the decimal integer m denotes the position in the argument list of the desired argument, indexed starting from 1. Source

Example: %5$n would write to the 5th address from the top of the stack.

like image 185
Aneesh Dogra Avatar answered Sep 24 '22 16:09

Aneesh Dogra
Sign in to Comment

Related questions

pthreads, how do I know that another thread inside the process is not waiting?
Get error in the iffw library when trying to write chunk
Find out compilation optimization flag from executable
How to resume file download through FTP using Curl in C?
How to determine if 3 points are exactly collinear in Z^2
Most efficient file writing method for Linux video recorder
What's the common way to manage shared libraries on Linux?
Call C function with different stack pointer (gcc)
Time quantum per process per thread
What is the need for having "nmem" and "size" parameters in C functions? [duplicate]
Dumping registers in stack for conservative stack scanning
problems to connect GDB over an serial port to an KGDB build Kernel
Retrieving current stack pointer from /proc/pid/stat
Spidev do not write/read simultaneously using ioctl
GCC, C: Finding out name of default warnings for use in #pragma ignore
Google hangout desktop application flow
Clarification of use of structs with Arduino and storing structs in PROGMEM
How to use getaddrinfo to connect to a server using the external IP?
Bitwise memmove
Pointer arithmetic and integral promotion

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!