[英]How can I perform a “printf string attack” using a buffer overflow?
The code: 代码:
void doit()
{
system("/bin/sh");
exit(0);
}
int main(int argc, char **argv)
{
static int the_var;
char buf[512];
the_var = 20;
strncpy (buf, argv[1], sizeof(buf) - 1);
printf (buf);
if (the_var != 20)
{
doit();
} else {
printf ("\nthe_var @ 0x%08x = %d 0x%08x\n", &the_var, the_var, the_var);
}
}
Program is running with sticky bit (owner uid 0) all I have to do is to crack it and run the /bin/sh
as the root. 程序运行使用粘滞位(所有者uid 0)我所要做的就是破解它并以
/bin/sh
为根运行。
I know how to crack the program with fe
. 我知道如何用
fe
破解程序。 buffer overflow and strcpy
(shellcode), but don't how to to use 'format string attack' on this one. 缓冲区溢出和
strcpy
(shellcode),但是如何在这一个上使用'format string attack'。
As you can see, there is a var the_var
, if it is not equal to 50 then shell is running (maybe try to change it somehow, some dirty magic?). 正如你所看到的,有一个
var the_var
,如果它不等于50那么shell正在运行(也许试着以某种方式改变它,一些肮脏的魔法?)。 Anyway, there is a printf (buf)
无论如何,有一个
printf (buf)
You control buf
. 你控制
buf
。 Pass %x
format strings to dump the stack and %n
to overwrite the object the_var
in the stack. 传递
%x
格式字符串以转储堆栈,并传递%x
%n
以覆盖堆栈中的对象the_var
。 From your program if the object the_var
is overwritten, the doit
function will be called and /bin/sh
will be executed. 从你的程序,如果对象
the_var
被覆盖时, doit
函数将被调用, /bin/sh
将被执行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.