Top Posts Tagged with #format-string-exploitation

Wargames - String Exploitation (formatrix)

Checksecs:

Basic Behaviour:

So, first up, we try and see if the input is vulnerable to format string attacks:

So it is - so our overall aim now will be to locate the stack on memory, so we can find an X for %X$p and access it.

So, for this, I’ll try using a small script I built to brute force the argument position of the buffer:

So, if I give this script 50, it’ll produce the following text:

aaaa1:%1$p 2:%2$p 3:%3$p 4:%4$p 5:%5$p 6:%6$p 7:%7$p 8:%8$p 9:%9$p 10:%10$p 11:%11$p 12:%12$p 13:%13$p 14:%14$p 15:%15$p 16:%16$p 17:%17$p 18:%18$p 19:%19$p 20:%20$p 21:%21$p 22:%22$p 23:%23$p 24:%24$p 25:%25$p 26:%26$p 27:%27$p 28:%28$p 29:%29$p 30:%30$p 31:%31$p 32:%32$p 33:%33$p 34:%34$p 35:%35$p 36:%36$p 37:%37$p 38:%38$p 39:%39$p 40:%40$p 41:%41$p 42:%42$p 43:%43$p 44:%44$p 45:%45$p 46:%46$p 47:%47$p 48:%48$p 49:%49$p

So, printing this into the binary, I get:

So, looking closely, @ the 3rd position, we have 0x61616161 - therefore, to target the buffer, I can use the format string: %3$x.

So, we need to need to know what our payload is. Looking in the binary, we can find that `win` is located at:

But, instead of hardcoding this value in, we can use pwntools to access the elf and look up its address `p.elf.symbols[”win”]`.

But, at this point, we don’t know where to write this address to - it can’t be the return address due to ASLR. Instead, we’re going to write into the GOT (Global OffSet Table). Looking at the binary, I see that printf is called later on, therefore, if we replace the address set for printf (the address that points to the libc code for the implementation of printf), then when printf is called next, it’ll jump to our desired address and execute code.

We can get the target address using the elf and accessing the GOT to retrieve the address stored for printf and then generate the addresses respective to each byte that makes up the 4 byte address:

So, now that I know where I’m writing to and what I need to write into it, I start preparing the format string to execute the exploit. First thing, I break up the win_address into its respective bytes:

Then, I take advantage of an integer overflow and create the format string exploit for each byte to be written, remembering to write using little endian:

I know the buffer is the 3rd argument from my brute force investigation above.

Payload complete - sending the payload gives me shell:

#wargames #format-string-exploitation

•18+ Adults Only

Watch Anya Live on Cam

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.

✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality

Anya is LIVE right now

FREE

Free to watch • No registration required • HD streaming