How can I perform a "printf string attack" using a buffer overflow?

The code:

void doit()
{       
      system("/bin/sh");
      exit(0); 
}       

int main(int argc, char **argv)
{       
    static int the_var;
    char buf[512];

    the_var = 20;

    strncpy (buf, argv[1], sizeof(buf) - 1);

    printf (buf);

    if (the_var != 20)
    {
            doit();
    } else {
            printf ("\nthe_var @ 0x%08x = %d 0x%08x\n", &the_var, the_var, the_var);
    }
}

Program is running with sticky bit (owner uid 0) all I have to do is to crack it and run the /bin/sh as the root.

I know how to crack the program with fe. buffer overflow and strcpy (shellcode), but don't how to to use 'format string attack' on this one.

As you can see, there is a var the_var, if it is not equal to 50 then shell is running (maybe try to change it somehow, some dirty magic?). Anyway, there is a printf (buf)

Answers


You control buf. Pass %x format strings to dump the stack and %n to overwrite the object the_var in the stack. From your program if the object the_var is overwritten, the doit function will be called and /bin/sh will be executed.


Need Your Help

Flash Lite 2 Split Image

image actionscript-2 movieclip flashlite

Can flash lite 2(as2) split an image in to multiple movie clips? For example, get an image and split it in half to to mc's.

How to evolve akka-persistence events in production?

scala akka akka-persistence

Let's say we have design our system using akka-persistence. Now, we have events stored in the event-store. While, the system in production, a new feature was requested. As a result, we find the bes...