I have the following simple program:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char ** argv) {
if(argc < 2) {
printf("Missing argument.\n");
return 1;
}
echo(argv[1]);
return 0;
}
void echo(char* arg) {
printf(arg);
printf("\n");
}
I'm compiling it with gcc -fno-stack-protector -z execstack -m32. I'm also disabling ASLR: echo 0 | sudo tee /proc/sys/kernel/randomize_va_space.
What I want to exploit the format string bug on the printf function to do some ret2libc or shellcode-based attack.
What I realy need is to understand how %n and $n work for writing arbitrary addresses and the values on the stack. Can someone explain such syntax in detail with examples?
Thanks