How to get address from string format exploit that only accepts decimals?

0

I'm trying to get the address of a function by exploiting string format vulnerability. I have a function pointer named 'exit' that points to a function A. I need to make 'exit' point to another function B that is at some address offset from A (in this case, it's 32 decimal addresses away). In order to do this, I need to set the value at address of 'exit' to be the address of B. My problem: I do not know the initial value of 'exit' (which is also the address of A), so I need to exploit string format to try and find the address of A.

I start from the beginning of an unsigned char buffer that's 44 bytes long. Suppose pointer 'exit' is at buffer[48] (I am just simplifying the problem). I am doing a buffer overflow to reach P. Along the way, I have essentially 48 iterations of random numbers while I traverse through the for loop in the buffer overflow attack.

The scanf below asks for a numeric input from the user. When I input '%x' or '%d' or any other kind of format abuse, I am not able to get back an address and the program terminates. Is it possible to exploit string format vulnerability when the input expects a number only?

I cannot modify the code, I am only allowed to exploit the program via the inputs. How can I find the address of A or B at any point, given the code below?

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

struct container {
    unsigned char buffer[44];
    void (*exit)();
};

void B() {
    puts("You've executed the correct function!");
}

void A() {
    puts("Wrong function");
}

int main() {
    struct container * my_container = malloc(sizeof(struct container));
    memset(my_container->buffer, 0, 44);
    my_container->exit = &A;

    for (int i = 0; i < 50; i++) {
        printf("What number goes into the buffer at index %d? ", i);
        unsigned int input_num;
        scanf("%d", &input_num);
        if (input_num == 0) {
            break;
        }
        my_container->buffer[i] = input_num & 0x000000ff;
    }

    my_container->exit();
    free(my_container);
}

I expected the output of "%x" to be the address of the current position of the stack pointer. Instead, it terminates the program.

string
format
buffer
overflow
memory-address
asked on Stack Overflow Nov 2, 2019 by Joshua Ng • edited Nov 3, 2019 by Joshua Ng

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0