0

I am attempting to overwrite a variable in a c program using a format string attack. This IS a homework assignment for a security class, and I am not asking for you to do my homework for me. However I am struggling to get this to work and I can't understand why. Also, I understand that there have been other questions asked on this topic, but none of those posts were able to help me.

I am working on a VM that my professor has set up for me. The vulnerable code was built by him so I'm not sure how he did it, the OS is Linux 3.13.0-65-generic i686, and ASLR is supposed to have been disabled by the professor. We did not receive any instructions about setting up an environment to allow this attack to succeed because the environment was completely set up by the professor. Also I don't have sudo permissions on the VM to do those things myself.

This is the code of the vulnerable application that my attacks target:

#include <stdio.h>

#ifndef MAGICNUM
#define MAGICNUM 0x41424344
#endif

int x = 0;

void vuln() {
  int y = 1;
  char buf[128];

  printf("This is vuln() \tx = %08x \ty = %08x\n", x, y);
  printf("Enter your input: ");
  scanf("%127s", buf);
  printf("You entered: ");
  printf(buf);
  printf("\n\n");
  printf("Now x = %08x and y = %08x\n", x, y);

  if(x==MAGICNUM) {
    printf("Success!\n");
    system("/bin/sh");
  }
  else {
    puts("Sorry, try again.");
  }

  return;
}

int main(int argc, char* argv[])
{
  vuln();
  return 0;
}

Once again my goal is to overwrite the variable x using a format string attack. The homework assignment wants me to overwrite it with MAGICNUM but for now I am simply trying to assign any arbitrary value to x.

Using GDB I was able to find that the address of x is 0x0804a030.

I know that I need to use the %n format specifier and these are some examples of input strings I have tried so far:

"\x30\xa0\x04\x08%08x.%08x.%08x.%08x%n"
"\x30\xa0\x04\x08%8s%n"
"\x30\xa0\x04\x08%.8%n"

All of those input strings trigger a segmentation fault and I can't figure out why they aren't working.

Any insight on what I can do to successfully overwrite x would be great.

Improve this question
8
  • perhaps you can find the vuln by asking your compiler for assembler output. Commented Nov 15, 2015 at 10:12
  • is the code a constraint, I mean, can you change it for the exercise? BTW, not sure the %n is the best way to do it, generally speaking buffer overflows do the trick very well, for example in you code, if you enter a very long string in buf (bigger than 128) (when value is asked), you'll figure out that y is modified. Commented Nov 15, 2015 at 10:21
  • @OznOg I don't have write permissions to the code. But I have copied it to a new file where I can make changes for testing. I agree with you about buffer overflows being better, but I am supposed to be able to do it with %n Commented Nov 15, 2015 at 10:25
  • @tjensen is the code you gave the original one? if not, could we see the original code (maybe you introduced modifications that fools us)? Commented Nov 15, 2015 at 10:29
  • 1
    @moooeeeep I am working on a VM that my professor has set up for me. The vulnerable code was built by him so I'm not sure how he did it, the OS is Linux 3.13.0-65-generic i686, and ASLR is supposed to have been disabled by the professor. We did not receive any instructions about setting up an environment to allow this attack to succeed because the environment was completely set up by the professor. Also I don't have sudo permissions on the VM to do those things myself. Commented Nov 15, 2015 at 21:10

2 Answers 2

Reset to default
0

I think you need to overflow the buffer size he assigned. Look at the variable buf[128]. Google about stack buffer overflow and try to identify what happens if you pass a parameter longer than 127 characters to the program.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-2

In my humble opinion, I think this is not possible.

x is in global address space (.data) and all other variables are in stack space. In a buffer overrun attack, you manage to overwrite the memory in the neigbourhood of the buffer. But here the buffer and the variable can be miles apart. There are no assumptions you can make about their distance so you cannot determine how much overrun to cause to overwrite x.

Further, there are no instructions or procedure calls that can cause an overrun. The scanf is nicely shielded to get at most 127 characters and the printf statements print to stdout and so cannot cause an overrun.

Should your professor provide you a solution that does overwrite x, I would be very interested to hear it.

Improve this answer

2 Comments

This question is not about a buffer overflow, but about uncontrolled format string, which might let printf wreak havoc memorywise. And the code clearly has a vulnerability a user could exploit.
@mooeeeep, as you say, might, but not guaranteed/deterministic. You could enter an input with lots of format specifiers like %s%d%.*f but you can't guarantee that will overwrite the global variable x. Hence, in my humble opinion it cannot be done [deterministicaly].

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.