This task was quite educating for me. It contained very simple buffer overflow vulnerability that should be done via format string in less than 10 bytes of input.
P.S.: It was very helpful to run ltrace to detect what does sprintf write to buffer while debugging format string.
However, when I saw that this task is in "format" section I read more about this kind of vulnerabilities and started to find much more difficult solution than it should be. I started to use %Nx%n$M parameters to overwrite needed address of target variable. And the whole format string looked like this:
ADR1ADR2ADR3ADR4%223x%6$hhn%207x%7$hhn%239x%8$hhn%49x%9$hhn
where ADR1ADR2ADR3ADR4 - 4 sequential addresses of the 4-byte target variable,
%Nx is used to get needed (N) amount of printed bytes ,
%P$hhn got the address as Pth extra argument from the stack and wrote there single byte (because of hh before n).
A problem that you've got to deal with is to find appropriate address of target variable. Since this address isn't located on the stack you can't get it exactly by listing stack. But you can try to find any base address and find target address relatively it. Previous EBP register value that was stored on stack is a good candidate. It was located as %25$x parameter, after getting it you have to calculate offset and get target address. By examining assembly listing you have to do the following calculations : ($ebp & 0xfffffff0) - 0x10 - 0x8 - 0xc. Those addresses worked perfectly in gdb but I've probably made a mistake somewhere for ordinary execution.
Then I understood that this level can be solved much more simpler. Because target variable is located "under" the buffer on stack you can simply fill buffer and next 4 bytes will be written to the target var.
So the one command solution looks like:
Proof:
/opt/protostar/bin/format0 `perl -e 'print "%64x\xef\xbe\xad\xde"'`
P.S.: It was very helpful to run ltrace to detect what does sprintf write to buffer while debugging format string.
No comments:
Post a Comment