How can I perform a “printf string attack” using a buffer overflow?
Question
The code:
void doit()
{
system("/bin/sh");
exit(0);
}
int main(int argc, char **argv)
{
static int the_var;
char buf[512];
the_var = 20;
strncpy (buf, argv[1], sizeof(buf) - 1);
printf (buf);
if (the_var != 20)
{
doit();
} else {
printf ("\nthe_var @ 0x%08x = %d 0x%08x\n", &the_var, the_var, the_var);
}
}
Program is running with sticky bit (owner uid 0) all I have to do is to crack it and run the /bin/sh as the root.
I know how to crack the program with fe . buffer overflow and strcpy (shellcode), but don't how to to use 'format string attack' on this one.
As you can see, there is a var the_var , if it is not equal to 50 then shell is running (maybe try to change it somehow, some dirty magic?). Anyway, there is a printf (buf)
1 answers
solution1
5 2012-06-17 09:06:14
You control buf . Pass %x format strings to dump the stack and %n to overwrite the object the_var in the stack. From your program if the object the_var is overwritten, the doit function will be called and /bin/sh will be executed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.