Format1 task differs from format0 task in a way where target variable is located. In this case target is located in .bss segment.
Firstly we have to locate an address of our target. Objdump -t helps us. (you can use nm too). You can observe that target is at the 0x08049638 so we have to modify a value that is stored there. %n format string modifier is great helps to do that.
Secondly we have to find our string on the stack in order to get an address of the target variable. Since the target address is absent from stack we have to provide it in our input string. To obtain needed address you can set break point just before printf call and print stack with x/40wx $esp command. Value on the top of stack is our format string address and also you can memorise the address of the second top parameter it would be helpful to calculate probable argument number that points to our input. In my case in gdb it was 132, while after printing in ordinary execution it was 127.
Third point was to align specified target address on stack so that it can be used as a whole address. To do that I had to append three characters to my string.
The whole format string solution is:
\x38\x96\x04\x08%127$n___
Firstly we have to locate an address of our target. Objdump -t helps us. (you can use nm too). You can observe that target is at the 0x08049638 so we have to modify a value that is stored there. %n format string modifier is great helps to do that.
Secondly we have to find our string on the stack in order to get an address of the target variable. Since the target address is absent from stack we have to provide it in our input string. To obtain needed address you can set break point just before printf call and print stack with x/40wx $esp command. Value on the top of stack is our format string address and also you can memorise the address of the second top parameter it would be helpful to calculate probable argument number that points to our input. In my case in gdb it was 132, while after printing in ordinary execution it was 127.
Third point was to align specified target address on stack so that it can be used as a whole address. To do that I had to append three characters to my string.
The whole format string solution is:
\x38\x96\x04\x08%127$n___
No comments:
Post a Comment