I'm trying to get the address of a function by exploiting string format vulnerability. I have a function pointer named 'exit' that points to a function A. I need to make 'exit' point to another function B that is at some address offset from A (in this case, it's 32 decimal addresses away). In order to do this, I need to set the value at address of 'exit' to be the address of B. My problem: I do not know the initial value of 'exit' (which is also the address of A), so I need to exploit string format to try and find the address of A.
I start from the beginning of an unsigned char buffer that's 44 bytes long. Suppose pointer 'exit' is at buffer[48] (I am just simplifying the problem). I am doing a buffer overflow to reach P. Along the way, I have essentially 48 iterations of random numbers while I traverse through the for loop in the buffer overflow attack.
The scanf below asks for a numeric input from the user. When I input '%x' or '%d' or any other kind of format abuse, I am not able to get back an address and the program terminates. Is it possible to exploit string format vulnerability when the input expects a number only?
I cannot modify the code, I am only allowed to exploit the program via the inputs. How can I find the address of A or B at any point, given the code below?
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct container {
unsigned char buffer[44];
void (*exit)();
};
void B() {
puts("You've executed the correct function!");
}
void A() {
puts("Wrong function");
}
int main() {
struct container * my_container = malloc(sizeof(struct container));
memset(my_container->buffer, 0, 44);
my_container->exit = &A;
for (int i = 0; i < 50; i++) {
printf("What number goes into the buffer at index %d? ", i);
unsigned int input_num;
scanf("%d", &input_num);
if (input_num == 0) {
break;
}
my_container->buffer[i] = input_num & 0x000000ff;
}
my_container->exit();
free(my_container);
}
I expected the output of "%x" to be the address of the current position of the stack pointer. Instead, it terminates the program.
User contributions licensed under CC BY-SA 3.0