Few days back i got more interest in FORMAT STRING VULNERABILITY, so i decided to solve one good problem related.
This is problem that is from CSAW CTF 2015 which i couldn’t solve at the time of the CTF.
This problem is mainly a menu driven program where we can store our contacts and description. The main vulnerability in this challenge lies in “Display contacts”.
After adding our contacts, when we try to view our contacts list and description, the description is printed out using “printf(description)”.
So when we try leaking our stack using that vulnerability we can leak out some malicious information. There may be may ways to exploit the binary, but i have used two saved ebp’s that are leaked form printf to change my instruction pointer that would give me shell.
I could leak two saved ebp’s one at 6th and other at 18th position and one more advantage is that first saved ebp contained the value of other saved ebp i.e is 18th position . So using format string specifier changing the address of saved ebp would result in the change of in saved ebp.
[savedebp(6th position)] --> savedebp(18th position)
My idea to solve that challenge is to change the saved ebp and pivot the stack to data segment so that i have control over that segment.
The idea to overwrite the saved ebp, is through format string vulnerability. First we should leak the address of saved ebp and add 2 to that saved ebp and then using format string write it into the saved ebp that will result change other saved ebp.
So taking advantage of that we can write 4 bytes of the saved ebp and control over the instruction pointer. once overwriting the saved ebp our stack would have been changed.
In my case i tried changing stack to data segment because i had control over that segment. I done my have chaining of return to libc in that segment.
Paruchuri Rakesh 