I would like to sum up the format section tasks with some general algorithm that is probably will be good to solve easy tasks for this kind of vulnerability. You can try to apply this algorithm if you are sure that application has a format string vulnerability.
Firstly you have to obtain target or targets addresses in memory. They may be on a stack, in a heap or somewhere you have write access.
Then try to locate your string on stack. If you cannot reach it, search for target address on the stack as one of the parameter of the format string.
Furthermore craft format string. Place target addresses at the beginning of the user-supplied format string. Then put accurately crafted directives to overwrite needed bytes. Use almost any printing directive with needed length flag, e.g. %50x, to make current printed characters count equal to needed value. Then write printed characters count into target address by specifying target address as some N-th format string argument to %n directive, e.g. %N$n . Also you may want to specify how many bytes result value should occupy by putting 'h' or 'hh' before 'n', e.g. %N$hhn.
After that run the expoit. Also check whether your target addresses lay exactly the way you need to get them for the %n directive.
Firstly you have to obtain target or targets addresses in memory. They may be on a stack, in a heap or somewhere you have write access.
Then try to locate your string on stack. If you cannot reach it, search for target address on the stack as one of the parameter of the format string.
Furthermore craft format string. Place target addresses at the beginning of the user-supplied format string. Then put accurately crafted directives to overwrite needed bytes. Use almost any printing directive with needed length flag, e.g. %50x, to make current printed characters count equal to needed value. Then write printed characters count into target address by specifying target address as some N-th format string argument to %n directive, e.g. %N$n . Also you may want to specify how many bytes result value should occupy by putting 'h' or 'hh' before 'n', e.g. %N$hhn.
After that run the expoit. Also check whether your target addresses lay exactly the way you need to get them for the %n directive.
No comments:
Post a Comment