7

I am reading about and trying to learn format string vulnerabilities. I have a vulnerable function and I understand the gist of what I have to do with my format string.

Basically, this is what I want to do. Pass in my format string which contains some shellcode as part of it. I also need to format my string so that the return address of the vulnerable function gets replaced so that it points to my shellcode on the stack. Hence, when the function returns, it will jump to my shellcode on the stack and open a shell.

Currently, I am at the point where I can see my shellcode on the stack, and I am able to write to the return address to change it. Problem is, I am using %n as my way of overwriting the return address and am not sure how to get %n to overwrite with a specific value. Of course, %n simply prints the number of bytes written so far to the specified address on the stack. I've read a couple of things on how you can manipulate %n to write the exact address/value you want, but I am lost on how to do that.

Can anyone shed some light?

Edit: I've tried padding my format string with things such as '%500d" and "%.500d" as well as "%nu" for some n values. (I've tried much smaller values as well) but that just brings about a segmentation fault.

To clear up some confusion, here's a quick example I wrote in response to a comment:

Okay, I'll try to be a little more clear. I have a vulnerable program. The vulnerable point is "printf(input);". I want to exploit this by passing in a format string. Now for example, I have a format string

"\x0c\xde\xbf\xff%08x.%08x.%08x.%08x.%08x.%08x.%n" 

This format string, when passed into the vulnerable function, will overwrite the memory address of 0xffbfde0c with the number of bytes written. I am looking to find out how I can modify that format string so that I can make %n overwrite with a specific value by somehow padding the number of bytes written before the %n.

4

2 回答 2

3

%n写一个数字的唯一方法是printf打印这个数量的字符。要获取任何指针的值,您需要打印许多字节。

最简单的方法是类似%999999s.

此外,尝试将返回值定向到某个函数(也称为“返回 libc”)可能更容易,因为代码通常位于相对较低的地址中。

于 2013-10-03T20:19:49.057 回答
0

由于四年前提出的问题,我认为答案可能不是那么有用。我遇到了同样的问题,并找到了一个捷径来做到这一点。正如材料所说,使用 %hhn 将是一种更好的方法,摆脱这么多字节。

为此,我们使用格式指令标志 h,它指定使用一半格式。因此,例如,如果我们使用 %hn,那么我们将格式化字节数写入一个 2 字节的短值。如果我们使用 %hhn,那么我们将格式化字节数写入一个 1 字节的 char 值。 材料

一个例子会像这样

"AAAA\x4c\xfd\xff\xbf%08x.%08x.%08x.%08x.%08x.%08x.%hhn"

'A' 可以有很多,以匹配所需的数字。

于 2018-09-22T14:34:09.467 回答