#include <stdio.h>
int main()
{
char s[200]
int a=123;
int b=&a;
scanf("%50s",s);
printf(s);
if (a==31337)
func();
}
The aim is to execute a format string attack - to execute func() by inputting a string. I tried to use %n to overwrite the variable but I came to conclusion is that it is impossible without displaying b variable first and I have no idea how. Any hint would be appreciated. Sorry for my bad english.
Let's try with and without printing:
As stated in the question, we clearly see that without printing
b
first it fails.Let's compare what is hapenning inside:
On marked lines we see "get value of
b
into %edx, then put it as 3'rd argument in stack."As printf and scanf use cdecl call convention, the stack remains more or less the same across invocations, so that third argument remains available for the vulnerable
printf
for setting.When we don't print
b
, it does not get into stack to be easily available for our injected format string.With enough
%p%p%p%p%p%p...
we should be able to reach our actuala
orb
anyway, but the limitation of 50 input characters is getting in our way.