Hacking - The Art of Exploitation, 2nd Edition
Exploitation 167 7 - Quit [Name: Jon Erickson] [You have 60 credits] -> Change user name Enter your new name: Your name has b ...
168 0x300 The previous chapter demonstrated the use of the more common format parameters, but neglected the less common %n forma ...
Exploitation 169 address operator is used to write this data into the variables count_one and count_two, respectively. The value ...
170 0x300 This is an interesting detail that should be remembered. It certainly would be a lot more useful if there were a way t ...
Exploitation 171 The wrong way to print user-controlled input: testing [*] test_val @ 0x08049794 = -72 0xffffffb8 reader@hacking ...
172 0x300 0x353 Reading from Arbitrary Memory Addresses The %s format parameter can be used to read from arbitrary memory addres ...
Exploitation 173 0x354 Writing to Arbitrary Memory Addresses If the %s format parameter can be used to read an arbitrary memory ...
174 0x300 The wrong way to print user-controlled input: ??bffff3d0b7fe75fc 0 [*] test_val @ 0x08049794 = 420 0x000001a4 reader@h ...
Exploitation 175 The last %x format parameter uses 8 as the field width to standardize the output. This is essentially reading a ...
176 0x300 The addresses and junk data at the beginning of the format string changed the value of the necessary field width optio ...
Exploitation 177 Here, next_val is initialized with the value 0x11111111, so the effect of the write operations on it will be ap ...
178 0x300 reader@hacking:~/booksrc $ reader@hacking:~/booksrc $ ./fmt_vuln2 $(printf "\xf4\x97\x04\x08JUNK\xf5\x97\x04\x08JUNK\x ...
Exploitation 179 4b4e554a [] test_val @ 0x080497f4 = 33991629 0x0206abcd [] next_val @ 0x080497f8 = 286326784 0x11110000 reader@ ...
180 0x300 0x355 Direct Parameter Access Direct parameter access is a way to simplify format string exploits. In the previous exp ...
Exploitation 181 Direct parameter access also simplifies the writing of memory addresses. Since memory can be accessed directly, ...
182 0x300 Since the stack doesn’t need to be printed to reach our addresses, the number of bytes written at the first format par ...
Exploitation 183 reader@hacking:~/booksrc $ gdb -q (gdb) p 0xfd72 - 8 $1 = 64874 (gdb) p 0xbfff - 0xfd72 $2 = -15731 (gdb) p 0x1 ...
184 0x300 0x357 Detours with .dtors....................................................................... In binary programs co ...
Exploitation 185 reader@hacking:~/booksrc $ nm ./dtors_sample 080495bc d _DYNAMIC 08049688 d _GLOBAL_OFFSETTABLE 080484e4 R _IO_ ...
186 0x300 located. Then the actual bytes are shown, opposed to DWORDs, which means the bytes are reversed. Bearing this in mind, ...
«
5
6
7
8
9
10
11
12
13
14
»
Free download pdf