I'm taking a security course which needs us to do format string attack on an unix virtual machine. The vulnerability is a format string using command line argument.

My question is how can I write value into an address in format string (like write shell code address into function return address)?

For example, I try to write value 987654 into the return address location 0xaabbccdd. I tried some strings like "AAAA_%10$x", and this can lead the program to print AAAA_41414141.

Then I replace the letters with my address and try to overwrite it.

\xdd\xcc\xbb\xaa_%10$x_%54321x_%n"

But it does not work. I see an article says I should use a smaller number in %54321x since there are some chars I already wrote, but I don't know how many chars I've written before %54321x, either.

note: The environment has an old version of gcc, so it's not necessary to worried about the value is too large. Any suggestions? Thanks.

printf cannot write anywhere without using the %n format specifier. This is the one you're missing. Something like %.987654d%n will write the number 987654 (the number of characters output so far) to an address specified by the second argument, where the first argument is an int. This should be enough to get you started.

you should specify wich offset of the stack to write in with the %n formatter like %[offset]\$n

example : %23\$n

be sure to correctly get the right address by cheking the result of \xdd\xcc\xbb\xaa_%54321x_%[offset]\$x" this can be done with python or bash script

you should retrieve the address aabbccdd