I'm taking a security course which needs us to do format string attack on an unix virtual machine. The vulnerability is a format string using command line argument.
My question is how can I write value into an address in format string (like write shell code address into function return address)?
For example, I try to write value 987654 into the return address location 0xaabbccdd.
I tried some strings like "AAAA_%10$x"
, and this can lead the program to print AAAA_41414141
.
Then I replace the letters with my address and try to overwrite it.
\xdd\xcc\xbb\xaa_%10$x_%54321x_%n"
But it does not work. I see an article says I should use a smaller number in %54321x
since there are some chars I already wrote, but I don't know how many chars I've written before %54321x
, either.
note: The environment has an old version of gcc, so it's not necessary to worried about the value is too large. Any suggestions? Thanks.
printf
cannot write anywhere without using the %n
format specifier. This is the one you're missing. Something like %.987654d%n
will write the number 987654 (the number of characters output so far) to an address specified by the second argument, where the first argument is an int
. This should be enough to get you started.