/* vul_prog.c */
#define SECRET1 0x44
#define SECRET2 0x55
int main(int argc, char *argv[])
{
char user_input[100];
int *secret;
int int_input;
int a, b, c, d; /* other variables, not used here.*/
/* The secret value is stored on the heap */
secret = (int *) malloc(2*sizeof(int));
/* getting the secret */
secret[0] = SECRET1; secret[1] = SECRET2;
printf("The variable secret's address is 0x%8x (on stack)\n", &secret);
printf("The variable secret's value is 0x%8x (on heap)\n", secret);
printf("secret[0]'s address is 0x%8x (on heap)\n", &secret[0]);
printf("secret[1]'s address is 0x%8x (on heap)\n", &secret[1]);
printf("Please enter a decimal integer\n");
scanf("%d", ∫_input); /* getting an input from user */
printf("Please enter a string\n");
scanf("%s", user_input); /* getting a string from user */
/* Vulnerable place */
printf(user_input);
printf("\n");
/* Verify whether your attack is successful */
printf("The original secrets: 0x%x -- 0x%x\n", SECRET1, SECRET2);
printf("The new secrets: 0x%x -- 0x%x\n", secret[0], secret[1]);
return 0;
}
format string vulnerability exploitation
Author
hello,
I am attempting to exploit a format string vulnerability in a C program in order to 1)crash the program, 2)print out the secret[1] value, 3)modify the secret[1] value, 4) modify the secret[1] value to a pre-determined value. Here is the vulnerable code:
You've got to earn your degree, so do your homework yourself.
Oh, and crashing the program is not really that much of an achievement.
Oh, and crashing the program is not really that much of an achievement.
Quote:Original post by Stereo
You've got to earn your degree, so do your homework yourself.
He's not asking you to do it for him, he's just asking for some guidance.
Quote:Original post by nb2
For the second part I tried to provide a series of "%08x" to print out the memory, but I need to print out the actual contents, not the memory addresses.
I'm probably misunderstanding you, but wouldn't you do this the same way as you would print any other value? For example, if I want to print an int val, I would write: printf("%d", val)
Author
Quote:Original post by Gage64Quote:Original post by Stereo
You've got to earn your degree, so do your homework yourself.
He's not asking you to do it for him, he's just asking for some guidance.Quote:Original post by nb2
For the second part I tried to provide a series of "%08x" to print out the memory, but I need to print out the actual contents, not the memory addresses.
I'm probably misunderstanding you, but wouldn't you do this the same way as you would print any other value? For example, if I want to print an int val, I would write: printf("%d", val)
Yes, but I am not supposed to change the vulnerable code at all, I am just supposed to provide input to the program to accomplish the objectives. The vulnerability in the program lies in the fact that to output the string of user input, the statetment:
printf(user_input)
is used, instead of:
printf("%s", user_input)
So I basically need to figure out what input to give to the program which prints it out using the (incorrect version of the) printf statement to show the secret value.
And I would not be posting here if I had not tried my hardest to fully understand and solve the problem.
Thanks again for your help.
thats a nice one!
I knew C style format string can crash programs (from experience) but haven't thought of using it to hack.
edit: actually my previous hint wasn't helping so I deleted it :b sorry.
what I wanted to say was look at the scanf for possibilities,
and think about the order of the variables in memory
I knew C style format string can crash programs (from experience) but haven't thought of using it to hack.
edit: actually my previous hint wasn't helping so I deleted it :b sorry.
what I wanted to say was look at the scanf for possibilities,
and think about the order of the variables in memory
From 'man printf':
Because the input buffer is fixed size, it should also be possible to execute arbitrary code. (Though I won't say how exactly.)
Quote:
n
The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.
Because the input buffer is fixed size, it should also be possible to execute arbitrary code. (Though I won't say how exactly.)
Author
Quote:Original post by Quinnie
This might be interesting to read...
http://julianor.tripod.com/bc/formatstring-1.2.pdf
Thanks, but I've already read that and tried to follow their suggestions. I was still unable to output the actual contents of the memory addresses. Do you know of anything that I could provide as input that would cause the printf statement in the code given to actually output the contents of an address, rather than the address itself?
Quote:Original post by nb2
Do you know of anything that I could provide as input that would cause the printf statement in the code given to actually output the contents of an address, rather than the address itself?
As stated in that PDF %s will do that, but it'll obviously need a bit more work to print the whole thing as there are some 0 bytes in the data.
Quote:Original post by nb2Quote:Original post by Quinnie
This might be interesting to read...
http://julianor.tripod.com/bc/formatstring-1.2.pdf
Thanks, but I've already read that and tried to follow their suggestions. I was still unable to output the actual contents of the memory addresses. Do you know of anything that I could provide as input that would cause the printf statement in the code given to actually output the contents of an address, rather than the address itself?
As the article states use %s with a few %08xes to control what is printed.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
