6

As part of an assignment, I am expected to exploit the printf() vulnerability in the C code shared below. It should be in a way that when I run the code with a string (eg. ./format "foo"), I should change the "1" in "X equals to 1" with something else. I believe I need to change the value of X variable but if you have a different idea, please do not hesitate to share. Here is the code:

#include <stdio.h>
#include <stdlib.h>
int main (int argc, char **argv)
{
    int *p;
    int x = 1;
    p=&x;
    printf("x=%d, sizeof(x): %zu, %x = %p, sizeof((p):%zu,&p = %p, \n", x, sizeof(x), &x, sizeof(p),&p);
    printf(argv[1]);
    printf("\nX equals: %d \n", x);
    return 0;
}
Improve this question
7
  • I do not understand what you are trying to exploit. The printf call does not have enough arguments, and some arguments are of the wrong type for the format specifier. Why would anyone release code like this for you to exploit? Commented Oct 16, 2017 at 18:30
  • Its not super clear what you mean by "exploit", you could use an incorrect format specifier. Most of the time it will print nonsense instead of a formatted variable, although it will technically invoke ub and may not have a desired effect. Commented Oct 16, 2017 at 18:32
  • 1
    Well as I pass a String on terminal (e.g ./format "foo"), I can normally only make changes on the output of the printf(argv[1]) line. But as printf(argv[1]) is not exactly a secure way to print out, it can be exploited by using strings such as "%n..." or "%s%s%s...." (for instance, you may read the memory with these strings, etc.). What I need to do is to change the X variable but I cannot find the proper string to change a variable. Commented Oct 16, 2017 at 18:36
  • You already have an exploit since you do not check argc before printf(argv[1]); Commented Oct 16, 2017 at 18:47
  • 1
    I found that there is a vulnerability because there is a miss-match between the format string and the actual arguments in the line printf("x=%d, sizeof(x): %zu, %x = %p, sizeof((p):%zu,&p = %p, \n", x, sizeof(x), &x, sizeof(p),&p); and %n is used for inserting code. It is doable because of the mismatch. Trying to figure out how I can use %n without getting a segmentation error 11. @mfro Commented Oct 16, 2017 at 19:41

1 Answer 1

Reset to default
9

You can find a pretty decent information (Format string attack) about vulnerabilities in print when no using validations properly.

I played a little with it and when running the program with like this:

./format "Bob %x %x %x %x %x %x %x %x%n"

Will cause the following print:

x=1, sizeof(x): 4, &x = 0x7fffa9c36e14, sizeof((p):8,&p = 0x7fffa9c36e18,
Bob 81688000 81464ab0 3 81688048 3 a9c36f08 400410 a9c36f00
X equals: 59

If you replace the %n with %x you will be able to see the address of the variable x. Because %x reads from the process memory and %n writes to the process memory I was able to change the data inside of x (59 is the number of characters up to %n when printing)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

can you please see: stackoverflow.com/questions/78683426/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.