To make the rest of the chapter??™s
examples easy, use the bash shell.
Writing to Arbitrary Memory
For this example, we will try to overwrite the canary address 0x08049440 with the
address of shellcode (which we will store in memory for later use). We will use this
address because it is visible to us each time we run fmtstr, but later we will show we can
overwrite nearly any address.
Magic Formula
As shown by Blaess, Grenier, and Raynal (see ???References???), the easiest way to write
4 bytes in memory is to split it into two chunks (two high-order bytes and two low-order
bytes) and then use the #$ and %hn tokens to put the two values in the right place.
For example, let??™s put our shellcode from the previous chapter into an environment
variable and retrieve the location:
$ export SC=`cat sc`
$ ./getenv SC
SC is located at 0xbfffff50 !!!!!!yours will be different!!!!!!
If we wish to write this value into memory, we would split it into two values:
??? Two high-order bytes (HOB): 0xbfff
??? Two low-order bytes (LOB): 0xff50
As you can see, in our case, HOB is less than (<) LOB, so follow the first column in
Table 8-2.
Now comes the magic. Table 8-2 will present the formula to help you construct the
format string used to overwrite an arbitrary address (in our case the canary address,
0x08049440).
Pages:
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353