format string & reload & __malloc_hook
When we can use format string to write our data to any address, this elf file is marked as reload. So we can’t easily write our data to got table to control the ip.
We can still control the ip by writing data to the address of __malloc_hook in glibc.
Does printf function call malloc?
- When we use printf and the format string cantains ‘%WIDTHs’ and the WIDTH is over 32 bytes, printf will call malloc to allocate more memory for itself.
How to use printf‘s calling malloc?
- When we know the base address of glibc, we can write our data to libc.
- When we overwrite __malloc_hook in glibc, we can control the flow of malloc function.
- We can use format string to
- write “/bin/sh” on the address in r/w segment
- write the address of system in glibc on the address of __malloc_hook
- use ‘%WIDTHs’ (WIDTH is the address of ‘/bin/sh’ minus 32) to call malloc while __malloc_hook is the address of system.Due to that the first parameter of malloc is the size we need and the first parameter of system is the address of the cmd we call system(cmd), we successfully execute the cmd like ‘/bin/sh’.