How to write value into an address in format string attack

Alex Ng picture Alex Ng · Jan 31, 2011 · Viewed 11.3k times · Source

I'm taking a security course which needs us to do format string attack on an unix virtual machine. The vulnerability is a format string using command line argument.

My question is how can I write value into an address in format string (like write shell code address into function return address)?

For example, I try to write value 987654 into the return address location 0xaabbccdd. I tried some strings like "AAAA_%10$x", and this can lead the program to print AAAA_41414141.

Then I replace the letters with my address and try to overwrite it.

\xdd\xcc\xbb\xaa_%10$x_%54321x_%n"

But it does not work. I see an article says I should use a smaller number in %54321x since there are some chars I already wrote, but I don't know how many chars I've written before %54321x, either.

note: The environment has an old version of gcc, so it's not necessary to worried about the value is too large. Any suggestions? Thanks.

Answer

R.. GitHub STOP HELPING ICE picture R.. GitHub STOP HELPING ICE · Jan 31, 2011

printf cannot write anywhere without using the %n format specifier. This is the one you're missing. Something like %.987654d%n will write the number 987654 (the number of characters output so far) to an address specified by the second argument, where the first argument is an int. This should be enough to get you started.