The code:
void doit()
{
system("/bin/sh");
exit(0);
}
int main(int argc, char **argv)
{
static int the_var;
char buf[512];
the_var = 20;
strncpy (buf, argv[1], sizeof(buf) - 1);
printf (buf);
if (the_var != 20)
{
doit();
} else {
printf ("\nthe_var @ 0x%08x = %d 0x%08x\n", &the_var, the_var, the_var);
}
}
Program is running with sticky bit (owner uid 0) all I have to do is to crack it and run the /bin/sh
as the root.
I know how to crack the program with fe
. buffer overflow and strcpy
(shellcode), but don't how to to use 'format string attack' on this one.
As you can see, there is a var the_var
, if it is not equal to 50 then shell is running (maybe try to change it somehow, some dirty magic?). Anyway, there is a printf (buf)
You control buf
. Pass %x
format strings to dump the stack and %n
to overwrite the object the_var
in the stack. From your program if the object the_var
is overwritten, the doit
function will be called and /bin/sh
will be executed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.