How to write value into an address in format string attack
I'm taking a security course which needs us to do format string attack on an unix virtual machine. The vulnerability is a format string using command line argument.
My question is how can I write value into an address in format string (like write shell code address into function return address)?
For example, I try to write value 987654 into the return address location 0xaabbccdd. I tried some strings like "AAAA_%10$x"
, and this can lead the program to print AAAA_41414141
.
Then I replace the letters with my address and try to overwrite it.
xddxccxbbxaa_%10$x_%54321x_%n"
But it does not work. I see an article says I should use a smaller number in %54321x
since there are some chars I already wrote, but I don't know how many chars I've written before %54321x
, either.
note: The environment has an old version of gcc, so it's not necessary to worried about the value is too large. Any suggestions? Thanks.
printf
cannot write anywhere without using the %n
format specifier. This is the one you're missing. Something like %.987654d%n
will write the number 987654 (the number of characters output so far) to an address specified by the second argument, where the first argument is an int
. This should be enough to get you started.
Format string vulnerability is exploited by changing the string printing format of printf function and making it to write some values into a desired address location in memory. Please read this blog post for learning how to do this
you should specify wich offset of the stack to write in with the %n formatter like %[offset]$n
example : %23$n
be sure to correctly get the right address by cheking the result of xddxcc xbbxaa_%54321x_%[offset]$x
" this can be done with python or bash script
you should retrieve the address aabbccdd
链接地址: http://www.djcxy.com/p/4588.html上一篇: SPAN元素在jQuery的show()上成为块级别
下一篇: 如何在格式字符串攻击中将值写入地址