2

Code is here:

#include <stdio.h> #define NUM 0x11a int data = NUM; int main(int argc, char * argv[]) { struct{ unsigned long memoryAddress; char array[50]; } locals; locals.memoryAddress= 2; scanf("%lx", &locals.memoryAddress); scanf("%49s", locals.array); printf(locals.array); data += 5; printf("\n%d\n", data); if(data != NUM + 0x5){ printf("Print me!\n"); } return 0; }

I should get "Print me!". It's format string attack and I use %n and gdb.

So how can I get memory address of data to overwrite it?

Improve this question
18
  • 1
    Maybe it is too much for me, but I don't understand why after assigning NUM to data and adding 5 to data you expect data to be different from NUM+5. Commented Apr 29, 2020 at 12:01
  • Related: stackoverflow.com/questions/31290850/… Commented Apr 29, 2020 at 12:03
  • 2
    @RobertoCaboni %n allows to write the number of characters written so far to a variable. If there is no variable, or if you use the accurate displacement (e.g. %5$n) you can select an arbitrary address to write to from the stack (in this case OP wants to write to data). Since you have control over the format string you can "pack" the arbitrary address into the format string itself and then find the appropriate displacement to make %n use that address and write what you want where you want (combining it with %NNNc to write NNN characters before the %n is hit). Commented Apr 29, 2020 at 12:15
  • 1
    @RobertoCaboni here's a more detailed explanation (first one that comes up googling). Commented Apr 29, 2020 at 12:17
  • 1
    @RobertSsupportsMonicaCellio UB is just a concept defined by the standard. Once you pinpoint an exact compiler and version, and more than that, once you have a program that is compiled, the behavior of the program is 100% well defined. Commented Apr 29, 2020 at 12:47
Load 7 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.