1

Let's consider the functions below:

void func2(void)
{
    .
    .
    .
    exit(1);
}

void func1(void)
{
    char buf[512];

    fgets(buf, 512, stdin);
    printf(buf);
    exit(1);
}

int main(int argc, char *argv[], char **envp)
{
    .
    .
    .
    func1();
    return (0);
}

And assume this is the corresponding assembly:

080484a4 <func2>:
 80484a4:   55                      push   ebp
 80484a5:   89 e5                   mov    ebp,esp
 80484a7:   83 ec 18                sub    esp,0x18
 80484aa:   c7 04 24 f0 85 04 08    mov    DWORD PTR [esp],0x80485f0
 80484b1:   e8 fa fe ff ff          call   80483b0 <system@plt>
 80484b6:   c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1
 80484bd:   e8 ce fe ff ff          call   8048390 <_exit@plt>

080484c2 <func1>:
 80484c2:   55                      push   ebp
 80484c3:   89 e5                   mov    ebp,esp
 80484c5:   81 ec 18 02 00 00       sub    esp,0x218
 80484cb:   a1 48 98 04 08          mov    eax,ds:0x8049848
 80484d0:   89 44 24 08             mov    DWORD PTR [esp+0x8],eax
 80484d4:   c7 44 24 04 00 02 00    mov    DWORD PTR [esp+0x4],0x200
 80484db:   00
 80484dc:   8d 85 f8 fd ff ff       lea    eax,[ebp-0x208]
 80484e2:   89 04 24                mov    DWORD PTR [esp],eax
 80484e5:   e8 b6 fe ff ff          call   80483a0 <fgets@plt>
 80484ea:   8d 85 f8 fd ff ff       lea    eax,[ebp-0x208]
 80484f0:   89 04 24                mov    DWORD PTR [esp],eax
 80484f3:   e8 88 fe ff ff          call   8048380 <printf@plt>
 80484f8:   c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1
 80484ff:   e8 cc fe ff ff          call   80483d0 <exit@plt>

08048504 <main>:
 8048504:   55                      push   ebp
 8048505:   89 e5                   mov    ebp,esp
 8048507:   83 e4 f0                and    esp,0xfffffff0
 804850a:   e8 b3 ff ff ff          call   80484c2 <func1>
 804850f:   c9                      leave
 8048510:   c3                      ret
 8048511:   90                      nop
 8048512:   90                      nop
 8048513:   90                      nop
 8048514:   90                      nop
 8048515:   90                      nop
 8048516:   90                      nop
 8048517:   90                      nop
 8048518:   90                      nop
 8048519:   90                      nop
 804851a:   90                      nop
 804851b:   90                      nop
 804851c:   90                      nop
 804851d:   90                      nop
 804851e:   90                      nop
 804851f:   90                      nop

From my analysis of the code, I realised it is probably impossible to call func2 by overflowing on the saved EIP, because the function func1 will call exit and thus the return address change would be useless.

I want to know if it's possible to execute the function func2 by exploiting printf. In that case how could it be done?

Improve this question
1
  • 1
    You can try changing the address of exit in the GOT via printf format string exploit so it is redirected to func2. Commented Jan 10, 2022 at 14:48
Related questions
0
How can I call sprintf from x86_64 assembly?
2
Can sprintf / formatted strings be passed directly to a function?
2
How do you use printf from Assembly?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.