Notice
that the format string itself was stored on the stack, proven by the presence of our AAAA
(0x41414141) test string. The fact that the fourth item shown (from the stack) was our
format string depends on the nature of the format function used and the location of the
vulnerable call in the vulnerable program. To find this value, simply use brute force and
keep increasing the number of %08x tokens until the beginning of the format string is
found. For our simple example (fmtstr), the distance, called the offset, is defined as 4.
Chapter 8: Advanced Linux Exploits
173
PART III
Using the %s Token to Read Arbitrary Strings
Because we control the format string, we can place anything in it we like (well, almost
anything). For example, if we wanted to read the value of the address located in the
fourth parameter,we could simply replace the fourth format token with a %s as shown:
$ ./fmtstr "AAAA %08x %08x %08x %s"
Segmentation fault
$
Why did we get a segmentation fault? Because, as you recall, the %s format token will
take the next parameter on the stack, in this case the fourth one, and treat it like a memory
address to read from (by reference). In our case, the fourth value is AAAA, which is
translated in hex to 0x41414141, which (as we saw in the previous chapter) causes a segmentation
fault.
Pages:
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350