2 years ago

#33216

test-img

Glitch

Can a function be called with printf format string?

Let's consider the functions below:

void func2(void)
{
    .
    .
    .
    exit(1);
}

void func1(void)
{
    char buf[512];

    fgets(buf, 512, stdin);
    printf(buf);
    exit(1);
}

int main(int argc, char *argv[], char **envp)
{
    .
    .
    .
    func1();
    return (0);
}

And assume this is the corresponding assembly:

080484a4 <func2>:
 80484a4:   55                      push   ebp
 80484a5:   89 e5                   mov    ebp,esp
 80484a7:   83 ec 18                sub    esp,0x18
 80484aa:   c7 04 24 f0 85 04 08    mov    DWORD PTR [esp],0x80485f0
 80484b1:   e8 fa fe ff ff          call   80483b0 <system@plt>
 80484b6:   c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1
 80484bd:   e8 ce fe ff ff          call   8048390 <_exit@plt>

080484c2 <func1>:
 80484c2:   55                      push   ebp
 80484c3:   89 e5                   mov    ebp,esp
 80484c5:   81 ec 18 02 00 00       sub    esp,0x218
 80484cb:   a1 48 98 04 08          mov    eax,ds:0x8049848
 80484d0:   89 44 24 08             mov    DWORD PTR [esp+0x8],eax
 80484d4:   c7 44 24 04 00 02 00    mov    DWORD PTR [esp+0x4],0x200
 80484db:   00
 80484dc:   8d 85 f8 fd ff ff       lea    eax,[ebp-0x208]
 80484e2:   89 04 24                mov    DWORD PTR [esp],eax
 80484e5:   e8 b6 fe ff ff          call   80483a0 <fgets@plt>
 80484ea:   8d 85 f8 fd ff ff       lea    eax,[ebp-0x208]
 80484f0:   89 04 24                mov    DWORD PTR [esp],eax
 80484f3:   e8 88 fe ff ff          call   8048380 <printf@plt>
 80484f8:   c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1
 80484ff:   e8 cc fe ff ff          call   80483d0 <exit@plt>

08048504 <main>:
 8048504:   55                      push   ebp
 8048505:   89 e5                   mov    ebp,esp
 8048507:   83 e4 f0                and    esp,0xfffffff0
 804850a:   e8 b3 ff ff ff          call   80484c2 <func1>
 804850f:   c9                      leave
 8048510:   c3                      ret
 8048511:   90                      nop
 8048512:   90                      nop
 8048513:   90                      nop
 8048514:   90                      nop
 8048515:   90                      nop
 8048516:   90                      nop
 8048517:   90                      nop
 8048518:   90                      nop
 8048519:   90                      nop
 804851a:   90                      nop
 804851b:   90                      nop
 804851c:   90                      nop
 804851d:   90                      nop
 804851e:   90                      nop
 804851f:   90                      nop

From my analysis of the code, I realised it is probably impossible to call func2 by overflowing on the saved EIP, because the function func1 will call exit and thus the return address change would be useless.

I want to know if it's possible to execute the function func2 by exploiting printf. In that case how could it be done?

assembly

printf

exit

fgets

format-string

0 Answers

Your Answer

Accepted video resources

Posts

Questions

Blogs

Jobs