How to write value into an address in format string attack

I'm taking a security course which needs us to do format string attack on an unix virtual machine. The vulnerability is a format string using command line argument.

My question is how can I write value into an address in format string (like write shell code address into function return address)?

For example, I try to write value 987654 into the return address location 0xaabbccdd. I tried some strings like "AAAA_%10$x" , and this can lead the program to print AAAA_41414141 .

Then I replace the letters with my address and try to overwrite it.

xddxccxbbxaa_%10$x_%54321x_%n"

But it does not work. I see an article says I should use a smaller number in %54321x since there are some chars I already wrote, but I don't know how many chars I've written before %54321x , either.

note: The environment has an old version of gcc, so it's not necessary to worried about the value is too large. Any suggestions? Thanks.


printf cannot write anywhere without using the %n format specifier. This is the one you're missing. Something like %.987654d%n will write the number 987654 (the number of characters output so far) to an address specified by the second argument, where the first argument is an int . This should be enough to get you started.


Format string vulnerability is exploited by changing the string printing format of printf function and making it to write some values into a desired address location in memory. Please read this blog post for learning how to do this


you should specify wich offset of the stack to write in with the %n formatter like %[offset]$n

example : %23$n

be sure to correctly get the right address by cheking the result of xddxcc xbbxaa_%54321x_%[offset]$x " this can be done with python or bash script

you should retrieve the address aabbccdd

链接地址: http://www.djcxy.com/p/4588.html

上一篇: SPAN元素在jQuery的show()上成为块级别

下一篇: 如何在格式字符串攻击中将值写入地址